PageData will contact the contents of a div, so there will be HTML within it. I've disabled validateinput to allow for 'potentially dangerous' data.
public class PDFController:SurfaceController
{
[System.Web.Http.HttpPost, ValidateInput(false)]
public ActionResult GeneratePDF(string fileName)
{
var PDFMeContent = Request.Form["PageData"];
var xpath = Umbraco.ContentSingleAtXPath("//pDFTemplate");
// Added Umbraco.Core reference to allow to use IsNullOrWhiteSpace helper.
if(fileName.IsNullOrWhiteSpace())
{
fileName = "OwainCodes.PDF";
}
return new Rotativa.UrlAsPdf("https://www.owain.codes")
{
FileName = fileName
};
}
}
IIRC correctly, it would be better to change your action to recieve the full model, and then on the model allow "allow html" on only that single property rather than on the whole method. Anything that can receive HTML is a potential risk, so you need to be careful IIRC.
https://www.dotnettricks.com/learn/mvc/html-submission-by-validateinput-and-allowhtml-attribute-in-mvc4 << this is a reasonable explanation.
And another one https://www.jitbit.com/alexblog/273-aspnet-mvc-allowing-html-for-particular-action-parameters/