<< European ASP.NET MVC Hosting - Amsterdam :: Example Routing in ASP.NET MVC | How to get textboxes values in MVC4 created by jQuery >>

European ASP.NET MVC 4 Hosting - Amsterdam :: ValidateInput and AllowHtml attribute in MVC4

October 28, 2013 09:43 by author

Scott

Sometimes, your required to save Html data in the database. By default Asp.Net MVC doesn't allow a user to submit html for avoiding Cross Site Scripting attack to your application. Suppose you have below form and you can submit the Html in description textarea.

If you do this and try to submit it you will get the error below

However, if you want to do this, you can achieve it by using ValidateInput attribute and AllowHtml attribute.

ValidateInput Attribute

This is the simple way to allow the submission of HTML. This attribute can enable or disable input validation at the controller level or at any action method.

ValidateInput at Controller Level

[ValidateInput(false)]
public class HomeController : Controller
{
public ActionResult AddArticle()
{
return View();
}

[HttpPost]
public ActionResult AddArticle(BlogModel blog)
{
if (ModelState.IsValid)
{

}
return View();
}
}

Now, the user can submit Html for this Controller successfully.

ValidateInput at Action Method Level

public class HomeController : Controller
{
public ActionResult AddArticle()
{
return View();
}

[ValidateInput(false)]
[HttpPost]
public ActionResult AddArticle(BlogModel blog)
{
if (ModelState.IsValid)
{

}
return View();
}
}

Now, the user can submit Html for this action method successfully.

Limitation of ValidateInput attribute

This attribute also has the issue since this allow the Html input for all the properties and that is unsafe. Since you have enable Html input for only one-two properties then how to do this. To allow Html input for a single property, you should useAllowHtml attribute.

AllowHtml Attribute

This is the best way to allow the submission of HTML for a particular property. This attribute will be added to the property of a model to bypass input validation for that property only. This explicit declaration is more secure than the ValidateInput attribute.

using System.ComponentModel.DataAnnotations;
using System.Web.Mvc;

public class BlogModel
{
[Required]
[Display(Name = "Title")]
public string Title { get; set; }

[AllowHtml]
[Required]
[Display(Name = "Description")]
public string Description{ get; set; }

}

Make sure, you have removed the ValidateInput attribute from Conroller or Action method. Now, the user can submit Html only for the Description property successfully.

Tags: mvc 4 europe hosting, cheap mvc 4 amsterdam hosting, asp.net mvc 4 host, mvc 4 hosting, mvc european hosting, hostforlife.eu, hostforlife
Categories:
Actions: E-mail | Kick it! | Permalink | comment

Comments (0) | RSS comment feed

Comment RSS

European ASP.NET MVC 4 Hosting - Amsterdam :: How to Upgrade ASP.NET MVC 3 Project to ASP.NET MVC 4 ProjectHow to Upgrade ASP.NET MVC 3 Project to ASP.NET MVC 4 ProjectEuropean ASP.NET MVC Hosting - Amsterdam :: Use ASP.NET MVC Validation Attributes outside of ASP.NetUse ASP.NET MVC Validation Attributes outside of ASP.NetASP NET MVC European Hosting :: What's New in ASP.NET MVC 2.0What's New in ASP.NET MVC 2.0

European ASP.NET MVC 4 and MVC 5 Hosting

European ASP.NET MVC 4 Hosting - Amsterdam :: ValidateInput and AllowHtml attribute in MVC4

ValidateInput Attribute

ValidateInput at Controller Level

ValidateInput at Action Method Level

Limitation of ValidateInput attribute

AllowHtml Attribute

About HostForLIFE.eu

Other Important BLOGs

Featured on

Month List

European ASP.NET MVC 4 and MVC 5 Hosting

European ASP.NET MVC 4 Hosting - Amsterdam :: ValidateInput and AllowHtml attribute in MVC4

ValidateInput Attribute

ValidateInput at Controller Level

ValidateInput at Action Method Level

Limitation of ValidateInput attribute

AllowHtml Attribute

About HostForLIFE.eu

Other Important BLOGs

Featured on

Month List

Tag cloud