Home/ Questions/Q 8646451
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-12T12:48:43+00:00

I am attempting to bind a user-inputted HTML string from a POST into a

  • 0

I am attempting to bind a user-inputted HTML string from a POST into a simple string variable on a model object. This works fine if I use the [AllowHtml] attribute. However, I’d like to sanitize the HTML before it makes its way into the model so I have created a ModelBinder:

public class SafeHtmlModelBinder : DefaultModelBinder
{
    public override object BindModel(ControllerContext controllerCtx, ModelBindingContext bindingCtx)
    {
        var bound = base.BindModel(controllerCtx, bindingCtx);
        // TODO - return a safe HTML fragment string
        return bound;
    }
}

And also a CustomModelBinderAttribute:

[AttributeUsage(AttributeTargets.Property, AllowMultiple = false, Inherited = false)]
public class SafeHtmlModelBinderAttribute : CustomModelBinderAttribute
{
    public SafeHtmlModelBinderAttribute()
    {
        binder = new SafeHtmlModelBinder();
    }

    private IModelBinder binder;

    public override IModelBinder GetBinder()
    {
        return binder;
    }
}

I then annotate the model properties which I want to be sanitized with the new attribute:

[Required(AllowEmptyStrings = false, ErrorMessage = "You must fill in your profile summary")]
[AllowHtml, SafeHtmlModelBinder, WordCount(Min = 1, Max = 300)]
public string Summary { get; set; }

This is following the example at http://msdn.microsoft.com/en-us/magazine/hh781022.aspx. Unfortunately, it doesn’t seem to work! If I place a breakpoint in my BindModel method it is never hit. Any ideas?

UPDATE

Based on the information from Joel I have changed my IModelBinder to intercept the value when in the SetProperty method and instead apply the SafeHtmlModelBinderAttribute to the class containing string properties that can contain HTML. The code checks that the property is a string and is also allowed to contain HTML before trying to sanitize:

public class SafeHtmlModelBinder : DefaultModelBinder
{
    protected override void SetProperty(
        ControllerContext controllerCtx,
        ModelBindingContext bindingCtx,
        PropertyDescriptor property,
        object value)
    {
        var propertyIsString = property.PropertyType == typeof(string);
        var propertyAllowsHtml = property.Attributes.OfType<AllowHtmlAttribute>().Count() >= 1;

        var input = value as string;
        if (propertyIsString && propertyAllowsHtml && input != null)
        {
            // TODO - sanitize HTML
            value = input;
        }

        base.SetProperty(controllerCtx, bindingCtx, property, value);
    }
}
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I’ve just been struggling with the same thing. It seems like the GetBinder() method is never called. After digging around I found this post where the accepted answer is that its not possible to put a model binding attribute for a property.

    Whether that’s true or not I don’t know but for now I’m just going to try and achieve what I need to do a different way. One idea would be to create a more generic ModelBinder and check for the presence of your attribute when performing the binding, similar to what’s being suggested in this answer.

    • 0