Introduction
Through this article, we will explore the ValidateInput in ASP.NET MVC. The ValidateInput attribute is used to allow sending the HTML content or codes to the server which, by default, is disabled by ASP.NET MVC to avoid XSS (Cross-Site Scripting) attacks. This attribute is used to enable or disable the request validation. By default, request validation is enabled in ASP.NET MVC.
Let us learn this by creating a simple application in ASP.NET MVC.
Step 1
Open SQL Server version 2014 or a version of your choice and create a table with some data.
Step 2
Choose "web application" project and give an appropriate name to your project.
Step 3
Select the "empty" template, check the MVC checkbox, and click OK.
Step 4
Right-click the Controllers folder and add a controller.
A window will appear. Choose MVC5 Controller-Empty and click "Add".
After clicking on "Add", another window will appear with DefaultController. Change the name to HomeController and click "Add". The HomeController will be added under the Controllers folder. Don’t change the Controller suffix for all controllers, change only the highlight, and instead of Default, just change Home.
Here is the complete code for Home Controller
- using System;
- using System.Collections.Generic;
- using System.Linq;
- using System.Web;
- using System.Web.Mvc;
-
- namespace MvcValidateInputAttribute_Demo.Models
- {
- public class HomeController : Controller
- {
-
- public ActionResult Index()
- {
- return View();
- }
-
- [HttpPost]
- public string Index(string message)
- {
- return "Your message" + message;
- }
- }
- }
Step 5
Right-click on Index method in HomeController. The "Add View" window will appear with default index name checked (use a Layout page). Click on "Add".
Code for Index View
- @{
- ViewBag.Title = "Index";
- }
-
-
- @using (Html.BeginForm())
- {
- <div class="form-group">
- @Html.Label("Message", "Your Message", new { @class = "control-label" })
- @Html.TextArea("Message", "", new { @class = "form-control" })
- </div>
- <div class="form-group">
- <button type="submit" class="btn btn-primary">Submit</button>
- </div>
- }
Step 6
Run the application and navigate to /Home/Index. Type the text <b>Welcome</b> in the textbox and click "Submit", as shown below.
This is because, by default, the request validation is turned on in ASP.NET MVC and does not allow you to submit any HTML to prevent the XSS (Cross-site scripting) attacks.
However, in some cases, we may want the user to be able to submit HTML tags like <b>, <u> etc. For this to happen, we need to turn off the request validation, by decorating the action method with the ValidateInput attribute, as shown below.
- using System;
- using System.Collections.Generic;
- using System.Linq;
- using System.Web;
- using System.Web.Mvc;
-
- namespace MvcValidateInputAttribute_Demo.Models
- {
- public class HomeController : Controller
- {
-
- public ActionResult Index()
- {
- return View();
- }
-
- [HttpPost]
- [ValidateInput(false)]
- public string Index(string message)
- {
- return "Your message" + message;
- }
- }
- }
At this point, we should be able to submit comments with HTML tags.