ValidateInput Attribute in MVC Application

Back to: ASP.NET MVC Tutorial For Beginners and Professionals

ValidateInput Attribute in ASP.NET MVC Application

In this article, I am going to discuss the ValidateInput Attribute in ASP.NET MVC Application. Please read our previous article where we discussed How To Create Custom OutputCache Attribute in MVC Application.

What is ValidateInput Attribute in ASP.NET MVC?

The ValidateInput Attribute in MVC is used to allow sending HTML content or codes to the server which is by default disabled by ASP.NET MVC Framework to avoid XSS (Cross-Site Scripting) attacks. This attribute is used to enable or disable request validation. By default, request validation is enabled in ASP.NET MVC Framework.

Example: ValidateInput Attribute in ASP.NET MVC

Let’s understand ValidateInput Attribute in ASP.NET MVC Application with an example.

Step1: Create a new ASP.NET MVC 5 application using the Empty template. Open Visual Studio and create a New Project. Select File => New => Project option as shown in the below image.

After clicking on the “Project” link a new dialog will pop up. In that we are going to select web templates from the left pane after selecting the web template, we find only one project template in its “ASP.NET Web Application” just select that. After selecting the project template next we are going to name the project “validateInputinMVC” and clicking on the OK button as shown in the below image.

Once you click on the OK button a new dialog will pop up with the Name “New ASP.NET Project” for selecting project Templates. In this dialog, we are going to choose the Empty project template and then we are choosing the MVC checkbox and click on the OK button as shown in the below image.

Once you click on the OK button. it will take some to time create the project for us with the following file and folder structure.

Step2: Add a HomeController.

Right-click on the Controllers folder and select controller which will open a pop-up for adding the controller. Here, select “MVC 5 Controller – Empty” and click on the Add button as shown in the below image.

Once you click on the Add button, it will open a new pop-up for proving the controller name. Here, provide the controller name as Home and click on the Add button as shown in the below image.

Once you click on the Add button, it will add the HomeController. Then copy and paste the following code within the HomeController

public class HomeController : Controller
{
    public ActionResult Index()
    {
        return View();
    }

    [HttpPost]
    public string Index(string comments)
    {
        return "Your Comments: " + comments;
    }
}

Step3: Add Index.cshtml view.

Right-click on the Index action method and select Add View which will open a pop-up as shown in the below image. Here, we are going with the default values and click on the Add button.

Once you click on the Add button, it will create the Index.cshtml view. Copy and paste the following code into it.

@{
    ViewBag.Title = "Index";
    Layout = null;
}
<div style="font-family: Arial">
    @using (Html.BeginForm())
    {
        <b>Comments:</b> 
        <br/>
        @Html.TextArea("comments")
        <br/>
        <br/>
        <input type="submit" value="submit"/>
    }
</div>

Step4: Run the application and navigate to /Home/Index. Type the text <b>Welcome</b> in the “Comments” textbox and click “Submit” as shown in the below image.

Notice that, we get the following error –

This is because, by default, request validation is turned on in ASP.NET MVC Application and does not allow you to submit any HTML, to prevent XSS (Cross-site scripting attacks). However, in some cases, we may want the user to be able to submit HTML tags like <b>,<u>, etc. For this to happen, we need to turn off request validation, by decorating the action method with the ValidateInput attribute and set the value as false as shown in the below code.

namespace validateInputinMVC.Controllers
{
    public class HomeController : Controller
    {
        public ActionResult Index()
        {
            return View();
        }
        [HttpPost]
        [ValidateInput(false)]
        public string Index(string comments)
        {
            return "Your Comments: " + comments;
        }
    }
}

At this point, we should be able to submit comments, with HTML tags in them. In the next article, I am going to discuss the RequireHttps Attribute in ASP.NET MVC Application. Here, in this article, I try to explain the ValidateInput Attribute in ASP.NET MVC application with Examples. I hope this ValidateInput Attribute in MVC article will help you with your need. I would like to have your feedback. Please post your feedback, question, or comments about this ValidateInput Attribute in MVC article.

Dot Net Tutorials

About the Author: Pranaya Rout

Pranaya Rout has published more than 3,000 articles in his 11-year career. Pranaya Rout has very good experience with Microsoft Technologies, Including C#, VB, ASP.NET MVC, ASP.NET Web API, EF, EF Core, ADO.NET, LINQ, SQL Server, MYSQL, Oracle, ASP.NET Core, Cloud Computing, Microservices, Design Patterns and still learning new technologies.

2 thoughts on “ValidateInput Attribute in ASP.NET MVC”

NA
August 1, 2020 at 8:48 pm

Thanks for this information. I am going to implement this in my next project.

Joshua Nelsom
August 18, 2020 at 1:13 pm

Great work ! But please can you explain how to put this attribute on get request ?