Understanding Validation In MVC – Part 5

Before reading this article, I highly recommend reading my previous parts:

Let’s understand some more advanced topic in MVC Validation.

This article will help you to understand the [ValidateInput()] attribute in MVC.

Suppose you are posting some cross site script element as a input to your control then although you are trying to post it, it won’t post or will give error.

Let’s check it. Put some HTML code / Java script code as in the following image.

Now if you click on submit button it won’t get submitted or it will give run time error

click on submit button

You will get the following error or form won’t get submitted. Because MVC prevents cross site scripting attacks.

error

Still you won't submit this (might be project requirement), then set [ValidateInput(false)] on your post method as in the following,

method

After setting this value again submit the form. You will notice your action gets the hit.

Code

So by default [ValidateInput()] is true to prevent the cross site scripting attack and you may set it to false and you have to take care about cross site scripting attack. Attached code will help you to understand in more detail.