ASP.NET MVC Tip #48 – Disable Request Validation

By default, the ASP.NET MVC framework prevents you from submitting form data that contains potentially malicious content. This feature is called request validation.

For example, submitting the following text in an HTML input field causes the ASP.NET MVC framework to throw an exception (Figure 1):

<script>Alert(‘I am evil!’);</script>

Figure 1 – An evil form post

clip_image002

This is a good feature. You don’t want people sneaking scripts into your website that can steal passwords or other sensitive user information. Normally, you want to leave request validation enabled.

There are situations, however, when it is perfectly legitimate to want people to submit text that contains HTML markup to a website. For example, you might be hosting a discussion forum on ASP.NET MVC and you want to enable people to submit messages that contain HTML tags.

Unlike a Web Forms application, you cannot disable request validation by using the <%@ Page ValidateRequest=”false” %> directive. You also cannot disable request validation in the web configuration (web.config) file. If you want to disable request validation then you must use the [ValidateInput] attribute.

You apply the [ValidateInput] attribute to the controller action that accepts the form input. For example, the Create() action below has request validation disabled:

[C#]

//
// POST: /Home/Create

[ValidateInput(false)]
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult Create([Bind(Exclude="Id")]Product productToCreate)
{
    if (!ModelState.IsValid)
        return View();

    try
    {
        _dataModel.AddToProductSet(productToCreate);
        _dataModel.SaveChanges();

        return RedirectToAction("Index");
    }
    catch
    {
        return View();
    }
}

[VB]

'
' POST: /Home/Create
<ValidateInput(false)> _
<AcceptVerbs(HttpVerbs.Post)> _
Function Create(<Bind(Exclude:="Id")> ByVal productToCreate As Product) As ActionResult

    If Not ModelState.IsValid Then
        Return View()
    End If

    Try
        _dataModel.AddToProductSet(productToCreate)
        _dataModel.SaveChanges()

        Return RedirectToAction("Index")
    Catch
        Return View()
    End Try
End Function

If you decide to disable request validation, make sure that you HTML encode any text submitted by a user that you display in a view. Always use the <%= Html.Encode() %> helper method when displaying content.

Discussion

  1. Marwan says:

    nice tip
    thanks

  2. Max Fraser says:

    thanks – I wish there where a .ToHtmlEncode() like there is a .ToString()

  3. ToddLF says:

    “thanks – I wish there where a .ToHtmlEncode() like there is a .ToString() “

    Sounds like a pretty easy extension method to me

  4. Shawn says:

    Actually, using Html.Encode() on the output defeats the purpose of allowing HTML markup on the input in the first place.

  5. Joe Chung says:

    Allowing HTML markup as input is a bad idea.

  6. @Shawn — You might want to display content that contains < and > characters. For example, typing <img> in this commment displays instead of the tag.

  7. Shawn says:

    @Stephen – yes, encoding if you want to display the angle brackets makes sense, but generally you want to display the picture not the text , which encoding prevents. Your blog software must allow the tag through in order for it to be rendered as an image. My point is that often the reason you’re allowing html input is so that it displays as matching html on the output as well.

    @Joe – allowing some form of markup is required if you want users to do more than boring plain text. Take Stephen’s blog here for example – it would be nearly unreadable if he couldn’t provide rich markup with images, headings, the slick source code listings, etc.

  8. jack says:

    this is really good

  9. Mario says:

    For those special situations html encoding “, could cover 90% of problems

  10. Mario says:

    I meant html encoding “< .S. Cr.ipt >” and “< ./ Scr.ip t>” dooh

  11. Thats good. I don’t want people sneaking scripts into my website that can steal passwords or other sensitive user information. Normally, I want to leave request validation enabled.

  12. Joshua Beall says:

    So, there’s no way to globally disable input validation? This is annoying. Consider a CMS application that has countless actions where user input is (and should be) HTML. Does every action need to be decorated with the [ValidateInput(false)] attribute?

    I realize the desire for security, but the truth is, programmers need to take responsibility for their own code. The framework can’t always take care of everything for you, and in this case, the adults among us would like to just be able to globally disable this and do our own input validation.

  13. @Joshua Beall — Good question. You don’t need to place the attribute on every controller action. You can place the attribute on the controller class itself. Another alternative is to create a base controller class and place the attribute on this base class. That way, request validaton would be disabled for every derived controller automatically.

  14. Really very nice stuff. Thanks.

  15. Thanks for this valuable information.

  16. interesting post thanks!!! i really like it

  17. this is given in attachment. I understand that very well. Thanks.

  18. Spa Massage says:

    very nice post!!!!!!!!!

  19. mevric says:

    this is given in attachment. I understand that very well. Thanks. Online GED

  20. Well thats pretty cool information, I didn’t know that was called “request validation”. Thanks

  21. Best Dates says:

    I agreed with this post, very nice

  22. very nice post thanks! i like it
    keep working like that

  23. I didn’t know that was called “request validation”. Thanks

  24. very nice page and intresting

  25. Viagra says:

    pretty cool and helpful info.. keep me informed

  26. Be Creative says:

    interesting post thanks!!!

  27. HI people one advise to rebirth youre sexual life take viagra this lil blue pill do miracles

  28. Infection says:

    very interesting website, congratulations.

  29. Great job
    this is really good
    Thanks

  30. thanks you for your advise, I have enjoyed following your blog entries

  31. HI

    This is really good
    I have enjoyed following your blog entries.

  32. Casino Poker says:

    very nice post thanks!! i really like it
    great post thanks for sharing a informative

  33. online games says:

    Very good post, helped me a lot!

  34. Hello
    Great post congratulation
    Have Nice Day

  35. Hello
    Great post thanks for sharing a informative article keep it up
    Have nice day…

  36. Keep out of the reach of children in a container that small children cannot open.excellent product

  37. Hello
    i`m impressed about the content of this blog is awesome.

  38. coupon codes says:

    very nice post thanks!! i really like it great post thanks for sharing a informative

  39. Iyyengar says:

    awesome useful tip — good. Pl. keep posting

  40. Hello

    Very good post, helped me a lot!

  41. Hello

    Very good post, helped me a lot!

  42. Nathanial says:

    It’s really great, because, stephane knows how to take the reader with him to a destination. I like it…

    classified ads |job listings |adjustable beds

  43. NikeAir says:

    Nice article, very helpful. Thanks!
    ——————————
    Nike Shoes || air yeezy

  44. 434 Great Post! Very good introduction is given. Very useful also. Thanks Stephen

  45. Thanks for the help with this code… I had been struggling with it for a bit!

  46. chat says:

    in fact,to say nothing more on this subject, but still would like to thank for sharing respects

  47. muhabbet says:

    Dear Admin, ,I thank you for this informative article. Sohbet And I thank you for this I follow your vendors. It’s verry good. I wish you continued success

  48. CSY211 says:

    wow goldAion kinahThe dog shrieked for mercy and the other two fled with their tails between their legs. Boxer looked at Napoleon to know whether he should crush the dog to death or let it go. Napoleon appeared to change countenance, and sharply ordered Boxer to let the dog go, whereat Boxer lifted his hoof, and the dog slunk away, bruised and howling.

  49. CSY211 says:

    metin2 yangmetin2 yangAnd he moved off at his lumbering trot and made for the quarry. Having got there he collected two successive loads of stone and dragged them down to the windmill before retiring for the night.

  50. CSY211 says:

    Aion moneyAion CD-KEYThey had just finished singing it for the third time when Squealer, attended by two dogs, approached them with the air of having something important to say. He announced that, by a special decree of Comrade Napoleon, ‘Beasts of England’ had been abolished. From now onwards it was forbidden to sing it.

  51. scott says:

    Choose, buy and shop for on sale Tiffany Jewelry including tiffany and co Silver Necklace, Pendants, Bangles, Bracelets, Earrings, Rings and Accessories.Tiffany Bracelets | Tiffany Necklaces | Tiffany Rings | We will surprise to find the high quality Tiffany Jewelry in much. Everyone will focus on tiffany and co