In this article I will explain a simple tutorial on what is the AllowHtml attribute in ASP.Net MVC, what is its use and also examples explaining its usage.
AllowHtml attribute is used to allow sending HTML content or codes to server which by default is disabled by ASP.Net MVC to avoid XSS (Cross Site Scripting) attacks.
 
 
XSS (Cross Site Scripting) attacks
In XSS (Cross Site Scripting) attacks, a hacker tries to inject HTML or JavaScript code to a website via INPUT fields such as TextBoxes, TextAreas, etc. Hence ASP.Net MVC throws the following Exception when such invalid content is detected.
What is AllowHtml attribute, its usage and examples in ASP.Net MVC
 
 

What is AllowHtml attribute, its Uses and Examples in ASP.Net MVC
The AllowHtml attribute can be applied to a Model property and it will disable the validation by ASP.Net MVC only for that particular property.
 
Advantages
The AllowHtml attribute is developed for Model class.
The Scope is limited to specific property of the Model class.
It is the safe and recommended solution.
 
Example:-
Model
public class PersonModel
{
    [Display(Name = "Resume:")]
    [AllowHtml]
    public string Resume { get; set; }
}
 
Controller
public class HomeController : Controller
{
    // GET: Home
    public ActionResult Index()
    {
        return View();
    }
 
    [HttpPost]
    public ActionResult Index(PersonModel person)
    {
        return View();
    }
}
 
View
@model Potential_Dangerous_MVC.Models.PersonModel
 
@{
    Layout = null;
}
 
<!DOCTYPE html>
 
<html>
<head>
    <meta name="viewport" content="width=device-width"/>
    <title>Index</title>
</head>
<body>
    @using (Html.BeginForm("Index", "Home", FormMethod.Post))
    {
        <table>
            <tr>
                <td>@Html.LabelFor(m => m.Resume)</td>
                <td>@Html.TextAreaFor(m => m.Resume)</td>
            </tr>
            <tr>
                <td></td>
                <td><input type="submit" value="Submit"/></td>
                <td></td>
            </tr>
        </table>
    }
</body>
</html>