By default, the ASP.NET MVC framework prevents you from submitting form data that contains potentially malicious content. This feature is called request validation.
For example, submitting the following text in an HTML input field causes the ASP.NET MVC framework to throw an exception (Figure 1):
<script>Alert(‘I am evil!’);</script>
Figure 1 – An evil form post
This is a good feature. You don’t want people sneaking scripts into your website that can steal passwords or other sensitive user information. Normally, you want to leave request validation enabled.
There are situations, however, when it is perfectly legitimate to want people to submit text that contains HTML markup to a website. For example, you might be hosting a discussion forum on ASP.NET MVC and you want to enable people to submit messages that contain HTML tags.
Unlike a Web Forms application, you cannot disable request validation by using the <%@ Page ValidateRequest=”false” %> directive. You also cannot disable request validation in the web configuration (web.config) file. If you want to disable request validation then you must use the [ValidateInput] attribute.
You apply the [ValidateInput] attribute to the controller action that accepts the form input. For example, the Create() action below has request validation disabled:
[C#]
//
// POST: /Home/Create
[ValidateInput(false)]
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult Create([Bind(Exclude="Id")]Product productToCreate)
{
if (!ModelState.IsValid)
return View();
try
{
_dataModel.AddToProductSet(productToCreate);
_dataModel.SaveChanges();
return RedirectToAction("Index");
}
catch
{
return View();
}
}
[VB]
'
' POST: /Home/Create
<ValidateInput(false)> _
<AcceptVerbs(HttpVerbs.Post)> _
Function Create(<Bind(Exclude:="Id")> ByVal productToCreate As Product) As ActionResult
If Not ModelState.IsValid Then
Return View()
End If
Try
_dataModel.AddToProductSet(productToCreate)
_dataModel.SaveChanges()
Return RedirectToAction("Index")
Catch
Return View()
End Try
End Function
If you decide to disable request validation, make sure that you HTML encode any text submitted by a user that you display in a view. Always use the <%= Html.Encode() %> helper method when displaying content.
nice tip
thanks
thanks – I wish there where a .ToHtmlEncode() like there is a .ToString()
“thanks – I wish there where a .ToHtmlEncode() like there is a .ToString() “
Sounds like a pretty easy extension method to me
Actually, using Html.Encode() on the output defeats the purpose of allowing HTML markup on the input in the first place.
Allowing HTML markup as input is a bad idea.
@Shawn — You might want to display content that contains < and > characters. For example, typing <img> in this commment displays
instead of the tag.
@Stephen – yes, encoding if you want to display the angle brackets makes sense, but generally you want to display the picture not the text![]()
, which encoding prevents. Your blog software must allow the ![]()
tag through in order for it to be rendered as an image. My point is that often the reason you’re allowing html input is so that it displays as matching html on the output as well.
@Joe – allowing some form of markup is required if you want users to do more than boring plain text. Take Stephen’s blog here for example – it would be nearly unreadable if he couldn’t provide rich markup with images, headings, the slick source code listings, etc.
this is really good
For those special situations html encoding “, could cover 90% of problems
I meant html encoding “< .S. Cr.ipt >” and “< ./ Scr.ip t>” dooh
Thats good. I don’t want people sneaking scripts into my website that can steal passwords or other sensitive user information. Normally, I want to leave request validation enabled.
So, there’s no way to globally disable input validation? This is annoying. Consider a CMS application that has countless actions where user input is (and should be) HTML. Does every action need to be decorated with the [ValidateInput(false)] attribute?
I realize the desire for security, but the truth is, programmers need to take responsibility for their own code. The framework can’t always take care of everything for you, and in this case, the adults among us would like to just be able to globally disable this and do our own input validation.
@Joshua Beall — Good question. You don’t need to place the attribute on every controller action. You can place the attribute on the controller class itself. Another alternative is to create a base controller class and place the attribute on this base class. That way, request validaton would be disabled for every derived controller automatically.
Really very nice stuff. Thanks.
Thanks for this valuable information.
interesting post thanks!!! i really like it
this is given in attachment. I understand that very well. Thanks.
very nice post!!!!!!!!!
Thanks for this valuable information.
online high school | high school diploma
this is given in attachment. I understand that very well. Thanks. Online GED
Well thats pretty cool information, I didn’t know that was called “request validation”. Thanks
I agreed with this post, very nice
very nice post thanks! i like it
keep working like that
I didn’t know that was called “request validation”. Thanks
thanks Essay Writing | Research Paper
very nice page and intresting
pretty cool and helpful info.. keep me informed
interesting post thanks!!!
HI people one advise to rebirth youre sexual life take viagra this lil blue pill do miracles
very interesting website, congratulations.
Great job
this is really good
Thanks
Great job Stephen.
thanks you for your advise, I have enjoyed following your blog entries
HI
This is really good
I have enjoyed following your blog entries.
very nice post thanks!! i really like it
great post thanks for sharing a informative
Very good post, helped me a lot!
Hello
Great post congratulation
Have Nice Day
Hello
Great post thanks for sharing a informative article keep it up
Have nice day…
Keep out of the reach of children in a container that small children cannot open.excellent product
Hello
i`m impressed about the content of this blog is awesome.
very nice post thanks!! i really like it great post thanks for sharing a informative
awesome useful tip — good. Pl. keep posting
Hello
Very good post, helped me a lot!
Hello
Very good post, helped me a lot!
It’s really great, because, stephane knows how to take the reader with him to a destination. I like it…
classified ads |job listings |adjustable beds
Nice article, very helpful. Thanks!
——————————
Nike Shoes || air yeezy
434 Great Post! Very good introduction is given. Very useful also. Thanks Stephen
Thanks for the help with this code… I had been struggling with it for a bit!
in fact,to say nothing more on this subject, but still would like to thank for sharing respects
Dear Admin, ,I thank you for this informative article. Sohbet And I thank you for this I follow your vendors. It’s verry good. I wish you continued success
|sohbet|
|muhabbet|
muhabbet
muhabbet odaları
dini sohbet|sohbet|sohbet|sohbet|
sohbet sitesi
selam hi This sounds fascinating sıcak sohbet I’m going to read that tracing articlekısa aşk şiirleri when I have a moment.
Wow. erotik film izle is
şifalı bitkiler zayıflama de
çet sohbet fer
netlog ger
müzik dinle err
şarkı dinle
cüneyt arkın filmleri kk
isyan sözleri fer
hikayeler er
kadir inanır filmleri izle der
escort bayanlar der
bedava chat dd
chat odaları der
liseli kızlar derf
kızlarla sohbet fder
sohbet errV
wow goldAion kinahThe dog shrieked for mercy and the other two fled with their tails between their legs. Boxer looked at Napoleon to know whether he should crush the dog to death or let it go. Napoleon appeared to change countenance, and sharply ordered Boxer to let the dog go, whereat Boxer lifted his hoof, and the dog slunk away, bruised and howling.
metin2 yangmetin2 yangAnd he moved off at his lumbering trot and made for the quarry. Having got there he collected two successive loads of stone and dragged them down to the windmill before retiring for the night.
Aion moneyAion CD-KEYThey had just finished singing it for the third time when Squealer, attended by two dogs, approached them with the air of having something important to say. He announced that, by a special decree of Comrade Napoleon, ‘Beasts of England’ had been abolished. From now onwards it was forbidden to sing it.
Choose, buy and shop for on sale Tiffany Jewelry including tiffany and co Silver Necklace, Pendants, Bangles, Bracelets, Earrings, Rings and Accessories.Tiffany Bracelets | Tiffany Necklaces | Tiffany Rings | We will surprise to find the high quality Tiffany Jewelry in much. Everyone will focus on tiffany and co