Back to: ASP.NET MVC Tutorial For Beginners and Professionals
ValidateInput Attribute in MVC
The ValidateInput Attribute is used to allow sending HTML content or codes to the server which by default is disabled by ASP.Net MVC to avoid XSS (Cross Site Scripting) attacks. In this article, I will discuss ValidateInput Attribute in ASP.NET MVC Application.
This attribute is used to enable or disable request validation. By default, request validation is enabled in asp.net mvc.
Let’s understand this with an example.
Step 1: Create an ASP.NET MVC 5 application using the Empty template.
Open Visual Studio and create a New project
Select File => New => Project
After clicking on “Project” link a new dialog will pop up.
In that we are going to select web templates from the left pane after selecting web template, we find only one project template in it “ASP.NET Web Application” just select that.
After selecting this project template next we are going to name the project as “validateInputinMVC” and clicking on the OK button a new dialog will pop up with Name “New ASP.NET Project” for selecting project Templates.
In this dialog, we are going to choose Empty project template and then we are choosing MVC checkbox as the Add folders and code reference for.
It will take some to time create the project for us. Once the project is created let us see the folder structure as shown below
Step 2: Add a HomeController.
Right click on the Controllers folder and select controller which will open a pop up for adding the controller as shown below
Select MVC 5 Controller – Empty and click on Add which will open a new pop up for proving the controller name as shown below.
Provide the controller name as Home and click on Add button which will add HomeController. Then copy and paste the below code in HomeController
namespace validateInputinMVC.Controllers
{
public class HomeController : Controller
{
public ActionResult Index()
{
return View();
}
[HttpPost]
public string Index(string comments)
{
return "Your Comments: " + comments;
}
}
}
Step 3: Add Index.cshtml view.
Right click on Index action method and select Add View which will open a pop up as shown below
Then click on Add button which will create the Index.cshtml view. Copy and paste the following code.
@{
ViewBag.Title = "Index";
Layout = null;
}
<div style="font-family: Arial">
@using (Html.BeginForm())
{
<b>Comments:</b>
<br/>
@Html.TextArea("comments")
<br/>
<br/>
<input type="submit" value="submit"/>
}
</div>
Step 4: Run the application and navigate to /Home/Index. Type the text <b>Welcome</b> in the “Comments” textbox and click “Submit” as shown below.
Notice that, we get an error –
This is because, by default, request validation is turned on in ASP.NET MVC and does not allow you to submit any HTML, to prevent XSS (Cross-site scripting attacks).
However, in some cases, we may want the user to be able to submit HTML tags like <b>,<u> etc. For this to happen, we need to turn off request validation, by decorating the action method with the ValidateInput attribute as shown below.
namespace validateInputinMVC.Controllers
{
public class HomeController : Controller
{
public ActionResult Index()
{
return View();
}
[HttpPost]
[ValidateInput(false)]
public string Index(string comments)
{
return "Your Comments: " + comments;
}
}
}
At this point, we should be able to submit comments, with HTML tags in it.
SUMMARY:
In this article, I try to explain the ValidateInput Attribute in ASP.NET MVC application step by step with a simple example. I hope this article will help you for your need. I would like to have your feedback. Please post your feedback, question, or comments about this article.