Home/ Questions/Q 8030837
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-05T00:53:46+00:00

I am getting an HTML encoded value out of MVC’s [RegularExpression] validator when it

  • 0

I am getting an HTML encoded value out of MVC’s [RegularExpression] validator when it writes the code to the client. This isn’t an issue for the error message (since it should be encoded for later display), but it is really screwing up the regex 🙂 On a string field, my regular expression looks like this:

[RegularExpression(@"^[^\<\>]*$", ErrorMessage = "May not contain <,>")]

When this gets written out by mvc3, it shows up looking like this:

<input ... data-val-regex-pattern="^[^\&amp;lt;\&amp;gt;]*$" 
           data-val-regex="May not contain &amp;lt;,&amp;gt;" .../>

Edit:

  • Because of the encoding, it was also catching <>, but also tripping up on words with:
  • t like tim
  • g like goat
  • probably ; but I didn’t test it

The purpose of this regex is to filter out < and >, rather than disable all validation on the page and preform it on the server side. This field accepts multiple unicode langages, and is only 12 chars long.

My choices look like:

  1. Disable asp.net input sanity checks on one page and check that in the action only
  2. Find a complex regex to match 3+ unicode ranges +/- dashes & numbers – .net + js compat.
  3. Write a custom regex validator that doesn’t have client side validation
  4. Use a [Remote] validator to do it on the server side like we do for other fields

I’m leaning towards #3 now, but I would really like to find a way to keep to built-in functionality. Is there any way to disable this output escaping?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    It took me a while, but I found out what seems obvious now: use unicode literals instead of the actual characters <>.

    My regex ended up like this, and works in both .Net & JS

    // \u003c = <,  \u003e = >
[RegularExpression(@"^[^\u003C\u003E]*$", ErrorMessage = "...")]

    I ended up with a custom validation attribute to keep from having that code everywhere. Better would be a custom “default” object adapter & custom jquery validation for this regex, thus allowing a second regex for format to be attached. Work for another day. Here is the custom class & validation:

    Custom subclass of regular expression attribute:

    [AttributeUsage(AttributeTargets.Property, AllowMultiple = false)]
public class RegexUnsafeChars : RegularExpressionAttribute
{
    public RegexUnsafeChars() : base(@"^[^\u003C\u003E]*$")
    {
        base.ErrorMessage = "May not contain <,>";
    }
}

    Because this is a custom attribute, and the provider only checks for EXACT matches, we need to declare the adapter manually. Thankfully we can re-use the built-in regex one. Add this code in Application_Start() in Global.asax.cs

    DataAnnotationsModelValidatorProvider.RegisterAdapter(
            typeof(RegexUnsafeChars), 
            typeof(RegularExpressionAttributeAdapter));
    • 0