In this article I will explain a simple tutorial on what is the ValidateInput(false) attribute in ASP.Net MVC, what is its use and also examples explaining its usage.
ValidateInput(false) attribute is used to allow sending HTML content or codes to server which by default is disabled by ASP.Net MVC to avoid XSS (Cross Site Scripting) attacks.
XSS (Cross Site Scripting) attacks
In XSS (Cross Site Scripting) attacks, a hacker tries to inject HTML or JavaScript code to a website via INPUT fields such as TextBoxes, TextAreas, etc. Hence ASP.Net MVC throws the following Exception when such invalid content is detected.
![What is ValidateInput(false) attribute, its Uses and Examples in ASP.Net MVC]()
What is ValidateInput(false) attribute, its Uses and Examples in ASP.Net MVC
ValidateInput attribute can be used at Controller level and also at Action method level. Below are the explanations.
1. ValidateInput attribute at Action level
The ValidateInput attribute can be applied to a Controller’s Action method and it will disable the validation by ASP.Net MVC only for that particular Action method.
Advantages
The Scope is limited to specific Action method of the Controller class.
If you have multiple properties accepting HTML content, then this method will reduce redundancy.
When Model class is not used for designing Form elements then this attribute is needed.
Disadvantages
All the Form fields posting data to an Action method can send HTML content, though only one or few might actually needed to send.
Example:-
Model
public class PersonModel
{
[Display(Name = "Resume:")]
public string Resume { get; set; }
}
Controller
public class HomeController : Controller
{
// GET: Home
public ActionResult Index()
{
return View();
}
[HttpPost]
[ValidateInput(false)]
public ActionResult Index(PersonModel person)
{
return View();
}
}
View
@model Potential_Dangerous_MVC.Models.PersonModel
@{
Layout = null;
}
<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width"/>
<title>Index</title>
</head>
<body>
@using (Html.BeginForm("Index", "Home", FormMethod.Post))
{
<table>
<tr>
<td>@Html.LabelFor(m => m.Resume)</td>
<td>@Html.TextAreaFor(m => m.Resume)</td>
</tr>
<tr>
<td></td>
<td><input type="submit" value="Submit"/></td>
<td></td>
</tr>
</table>
}
</body>
</html>
2. ValidateInput attribute at Controller level
The ValidateInput attribute can also be applied to a Controller and it will disable the validation by ASP.Net MVC for all the Action methods of that particular Controller.
Advantages
The Scope is limited to the specific Controller class.
If you have multiple Action methods accepting HTML content, then this method will reduce redundancy.
When Model class is not used for designing multiple Forms then this method is useful.
Disadvantages
All the Form fields posting data to all the Action methods can send HTML content, though only one or few might actually needed to send.
Example:-
Model
public class PersonModel
{
[Display(Name = "Resume:")]
public string Resume { get; set; }
}
Controller
[ValidateInput(false)]
public class HomeController : Controller
{
// GET: Home
public ActionResult Index()
{
return View();
}
[HttpPost]
public ActionResult Index(PersonModel person)
{
return View();
}
}
View
@model Potential_Dangerous_MVC.Models.PersonModel
@{
Layout = null;
}
<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width"/>
<title>Index</title>
</head>
<body>
@using (Html.BeginForm("Index", "Home", FormMethod.Post))
{
<table>
<tr>
<td>@Html.LabelFor(m => m.Resume)</td>
<td>@Html.TextAreaFor(m => m.Resume)</td>
</tr>
<tr>
<td></td>
<td><input type="submit" value="Submit"/></td>
<td></td>
</tr>
</table>
}
</body>
</html>
