ValidateInput Attribute In ASP.NET MVC

In this article, you will learn about the ValidateInput attribute in ASP.NET MVC.

Introduction

 
Through this article, we will explore the ValidateInput in ASP.NET MVC. The ValidateInput attribute is used to allow sending the HTML content or codes to the server which, by default, is disabled by ASP.NET MVC to avoid XSS (Cross-Site Scripting) attacks. This attribute is used to enable or disable the request validation. By default, request validation is enabled in ASP.NET MVC.
 
Let us learn this by creating a simple application in ASP.NET MVC. 
 
Step 1
 
Open SQL Server version 2014 or a version of your choice and create a table with some data.
 
Step 2 
 
Choose "web application" project and give an appropriate name to your project.
 
ValidateInput Attribute In ASP.NET MVC
 
Step 3
 
Select the "empty" template, check the MVC checkbox, and click OK.
 
ValidateInput Attribute In ASP.NET MVC
 
Step 4
 
Right-click the Controllers folder and add a controller.
 
ValidateInput Attribute In ASP.NET MVC
 
A window will appear. Choose MVC5 Controller-Empty and click "Add".
 
ValidateInput Attribute In ASP.NET MVC
 
After clicking on "Add", another window will appear with DefaultController. Change the name to HomeController and click "Add". The HomeController will be added under the Controllers folder. Don’t change the Controller suffix for all controllers, change only the highlight, and instead of Default, just change Home.
 
ValidateInput Attribute In ASP.NET MVC
 
Here is the complete code for Home Controller 
  1. using System;  
  2. using System.Collections.Generic;  
  3. using System.Linq;  
  4. using System.Web;  
  5. using System.Web.Mvc;  
  6.    
  7. namespace MvcValidateInputAttribute_Demo.Models  
  8. {  
  9.     public class HomeController : Controller  
  10.     {  
  11.         // GET: Home  
  12.         public ActionResult Index()  
  13.         {  
  14.             return View();  
  15.         }  
  16.    
  17.         [HttpPost]  
  18.         public string Index(string message)  
  19.         {  
  20.             return "Your message" + message;  
  21.         }  
  22.     }  
  23. }  
Step 5
 
Right-click on Index method in HomeController. The "Add View" window will appear with default index name checked (use a Layout page). Click on "Add".
 
ValidateInput Attribute In ASP.NET MVC
 
Code for Index View
  1. @{  
  2.     ViewBag.Title = "Index";  
  3. }  
  4.    
  5.    
  6. @using (Html.BeginForm())  
  7. {  
  8.     <div class="form-group">  
  9.         @Html.Label("Message""Your Message"new { @class = "control-label" })  
  10.         @Html.TextArea("Message"""new { @class = "form-control" })  
  11.     </div>  
  12.     <div class="form-group">  
  13.         <button type="submit" class="btn btn-primary">Submit</button>  
  14.     </div>  
  15. }  
Step 6
 
Run the application and navigate to /Home/Index. Type the text <b>Welcome</b> in the textbox and click "Submit", as shown below.
 
ValidateInput Attribute In ASP.NET MVC
 
This is because, by default, the request validation is turned on in ASP.NET MVC and does not allow you to submit any HTML to prevent the XSS (Cross-site scripting) attacks.
 
However, in some cases, we may want the user to be able to submit HTML tags like <b>, <u> etc. For this to happen, we need to turn off the request validation, by decorating the action method with the ValidateInput attribute, as shown below.
 
ValidateInput Attribute In ASP.NET MVC
  1. using System;  
  2. using System.Collections.Generic;  
  3. using System.Linq;  
  4. using System.Web;  
  5. using System.Web.Mvc;  
  6.    
  7. namespace MvcValidateInputAttribute_Demo.Models  
  8. {  
  9.     public class HomeController : Controller  
  10.     {  
  11.         // GET: Home  
  12.         public ActionResult Index()  
  13.         {  
  14.             return View();  
  15.         }  
  16.    
  17.         [HttpPost]  
  18.         [ValidateInput(false)]  
  19.         public string Index(string message)  
  20.         {  
  21.             return "Your message" + message;  
  22.         }  
  23.     }  
  24. }  
At this point, we should be able to submit comments with HTML tags. 
 
ValidateInput Attribute In ASP.NET MVC
 
ValidateInput Attribute In ASP.NET MVC