Back to: ASP.NET MVC Tutorial For Beginners and Professionals
ValidateInput Attribute in ASP.NET MVC Application
In this article, I am going to discuss the ValidateInput Attribute in MVC Application. Please read our previous article where we discussed How To Create Custom OutputCache Attribute in MVC Application. The ValidateInput Attribute is used to allow sending HTML content or codes to the server which by default is disabled by ASP.Net MVC to avoid XSS (Cross-Site Scripting) attacks. This attribute is used to enable or disable request validation. By default, request validation is enabled in ASP.NET MVC.
Let’s understand this with an example.
Step 1: Create an ASP.NET MVC 5 application using the Empty template. Open Visual Studio and create a New Project. Select File => New => Project
After clicking on the “Project” link a new dialog will pop up. In that we are going to select web templates from the left pane after selecting a web template, we find only one project template in its “ASP.NET Web Application” just select that.
After selecting this project template next we are going to name the project as “validateInputinMVC” and clicking on the OK button a new dialog will pop up with Name “New ASP.NET Project” for selecting project Templates.
In this dialog, we are going to choose the Empty project template and then we are choosing MVC checkbox as the Add folders and code reference for. It will take some to time create the project for us. Once the project is created let us see the folder structure as shown below
Step 2: Add a HomeController.
Right-click on the Controllers folder and select controller which will open a pop up for adding the controller as shown below
Select MVC 5 Controller – Empty and click on Add which will open a new pop up for proving the controller name as shown below.
Provide the controller name as Home and click on Add button which will add HomeController. Then copy and paste the below code in HomeController
public class HomeController : Controller { public ActionResult Index() { return View(); } [HttpPost] public string Index(string comments) { return "Your Comments: " + comments; } }
Step 3: Add Index.cshtml view.
Right-click on Index action method and select Add View which will open a pop up as shown below
Then click on the Add button which will create the Index.cshtml view. Copy and paste the following code.
@{ ViewBag.Title = "Index"; Layout = null; } <div style="font-family: Arial"> @using (Html.BeginForm()) { <b>Comments:</b> <br/> @Html.TextArea("comments") <br/> <br/> <input type="submit" value="submit"/> } </div>
Step 4: Run the application and navigate to /Home/Index. Type the text <b>Welcome</b> in the “Comments” textbox and click “Submit” as shown below.
Notice that, we get an error –
This is because, by default, request validation is turned on in ASP.NET MVC and does not allow you to submit any HTML, to prevent XSS (Cross-site scripting attacks).
However, in some cases, we may want the user to be able to submit HTML tags like <b>,<u>, etc. For this to happen, we need to turn off request validation, by decorating the action method with the ValidateInput attribute as shown below.
namespace validateInputinMVC.Controllers { public class HomeController : Controller { public ActionResult Index() { return View(); } [HttpPost] [ValidateInput(false)] public string Index(string comments) { return "Your Comments: " + comments; } } }
At this point, we should be able to submit comments, with HTML tags in it.
In the next article, I am going to discuss the RequireHttps Attribute in MVC Application. Here, in this article, I try to explain the ValidateInput Attribute in ASP.NET MVC application step by step with a simple example. I hope this article will help you with your need. I would like to have your feedback. Please post your feedback, question, or comments about this article.
Thanks for this information. I am going to implement this in my next project.
Great work ! But please can you explain how to put this attribute on get request ?