HtmlEncode on Post for ASP.Net MVC 3 Html.TextAreaFor

Question

I have an ASP.Net MVC 3 page in which I have an Html.TextAreaFor control, see code below. If I try to submit the page to the http post action with text in angle brackets like:

Answer 1

You could decorate your RequestText property on the view model with the AllowHtmlAttribute:

[AllowHtml]
public string RequestText { get; set; }

This way you are authorizing the client to submit HTML for this property only.

As far as the <%: %> syntax is concerned, this is used to HTML encode some value before outputting it to the page. It is used to protect against XSS attacks. It is irrelevant in your case because you are not outputting to the page, you are receiving HTML characters in a request.