How to allow my Asp.net MVC 3 web app using MathJax to accept user input $x<y>z$?

I am developing a mathematics site using Asp.Net MVC 3 + Razor + MathJax. MathJax is a javascript library to render TeX or LaTeX codes on the web browser. And TeX or LaTeX codes represent mathematics contents such as an inline math $y=mx+c$ and a displayed math \[y=mx+c\].

Right now my site can accept input, for example, $x<y$. However it cannot accept $x<y>z$ because the framework regards this input is vulnerable to XSS and XSRF.

Shortly spe开发者_高级运维aking, what I should do to accomplish what I want but it does not open security vulnerability.

---

In ASP.NET MVC 3 you could decorate the property of you model that needs to accept this input with the [AllowHtml] attribute. This way you are not forced to disable input validation for the entire controller action which was previously done by decorating it with the [ValidateInput] attribute. So on your model

public class MathematicsViewModel
{
    public int Id { get; set; }
    public string Name { get; set; }

    [AllowHtml]
    public string MathematicFormula { get; set; }
}

and then have your controller action:

[HttpPost]
public ActionResult(MathematicsViewModel model)
{
    // model.MathematicFormula will now accept input like  $x<y>z$
    ...
}

And inside your view you could have a textbox named MathematicFormula in which the user could type those characters and you won't get exception.

Also don't forget to set the following in your web.config or this attribute won't have effect in .NET 4.0 (which is what ASP.NET MVC 3 uses):

<httpRuntime requestValidationMode="2.0"/>

---

You should use the ValidateInputAttribute on your action method

[ValidateInput(false)]
public ViewResult Create() {

}

Edit

And if you use .net 4, don't forget to add <httpRuntime requestValidationMode="2.0"/> to the web.config as follows

<configuration>
<system.web>
<httpRuntime requestValidationMode="2.0"/>
</system.web>
</configuration>