ValidateInput Attribute to Prevent CSS Attack in MVC

We know that a Cross Site Scripting (CSS) attack is very common and is a well known attack for web applications. If you are unfamiliar with CSS attacks then the following paragraph is for you.

A CSS attack is basically the result of poor form validation, or the input script might inject from a query string but the chances of that are less compared to form validation. How do CSS attacks work? At first the hacker injects some HTML code into a HTML input field and the data along with the HTML tag is saved to the database if we did not check the HTML input string. Now, when there is a need to display the data in a user interface then we will get it from the database and a legitimate browser will parse it as HTML code. If the hacker then injects a normal HTML string then there is no problem at all, haha.. But it does not happen generally. They might inject harmful JavaScript code from an input field that might steel valuable information from the user's computer.

Ok, so this is all about the CSS attack. And I am very sure that you never want to allow a user to inject a HTML element through a form.

In traditional Web Form applications, we use a form validation script (in JavaScript very often) to validate user's input. But the MVC library has done the job for us, we need not to validate or write lengthy code externally.

Here we will see how to prevent a CSS attack using the ValidateInput attribute.

Let's create one simple model as in the following.

  1. public class person  
  2. {  
  3.    public string personDescription { get; set; }  
  4. } 

Just for simplicity we have added only one attribute in the model class. Now we will implement the controller to render the view.

  1. using System;  
  2. using System.Collections.Generic;  
  3. using System.Linq;  
  4. using System.Web;  
  5. using System.Web.Mvc;  
  6. using MVC_5.Models;  
  7. namespace MVC_5.Controllers  
  8. {  
  9.     public class personController : Controller  
  10.     {  
  11.         public ActionResult Index()  
  12.         {  
  13.             return View();  
  14.         }  
  15.         public void GetPerson(person p)  
  16.         {  
  17.         }  
  18.     }  
  19. } 

This is the simple person controller and it will throw the view when the Index() action is called. And in the form submission it will call the GetPerson() action. Fine, let's implement the view to get the form data.

  1. @model MVC_5.Models.person  
  2. @{  
  3.     Layout = null;  
  4. }  
  5. <!DOCTYPE html>  
  6. <html>  
  7. <head>  
  8.     <meta name="viewport" content="width=device-width" />  
  9.     <title>Index</title>  
  10. </head>  
  11. <body>  
  12.     <div>  
  13.         @{  
  14.             using (Html.BeginForm("GetPerson""person"))  
  15.             {  
  16.                 <input type="text" name="personDescription" /> <br />  
  17.                 <input type="submit" value="Submit Form" />  
  18.             }  
  19.          }   
  20.     </div>  
  21. </body>  
  22. </html> 

When we run the application we will find the following output screen.

We are putting in a HTML element along with data. And once we click on the submit button we will see the following screen.

So, in MVC, by default it prevents the HTML element as form data, anyway we can use the ValidateInput attribute to prevent HTML explicitly in this way.
  1. public class personController : Controller  
  2. {  
  3.     public ActionResult Index()  
  4.     {  
  5.         return View();  
  6.     }  
  7.     [ValidateInput(true)]  
  8.     public void GetPerson(person p)  
  9.     {  
  10.     }  
  11. } 

Or we can use the ValidateInput() attribute over the controller.

  1. [ValidateInput(true)]  
  2. public class personController : Controller  
  3. {  
  4. }  

And if we want to allow a HTML element through form input, we can just set the true parameter to false. Then it will allow acceptance of a HTML element as input.


We can use the AllowHtml() attribute of the model property, as in the following to allow a HTML element to a certain property only.

  1. public class person  
  2. {  
  3.     [AllowHtml]  
  4.     public string personDescription { getset; }  
  5. }


It's always a best practice to prevent a HTML element from an input field to prevent or at least to reduce CSS attacks.