@Blog.Author(Nandip Makwana) .LearningExperience(ASP.NET, ASP.NET MVC, IIS, jQuery & Technology Surrounding it...)

December 7, 2012 comment

ASP.NET MVC: ValidateInput action filter

ASP.NET MVC: ValidateInput

In ASP.NET MVC, by default all user posted data (i.e. query string params, form element, etc.) are validated for any potential dangerous content (i.e. HTML tag or script) to avoid XSS attacks. But sometime we need to accept such HTML content from user. For e.g. for blog application developed in MVC must allow publisher to post HTML content or sometime we allow user to post HTML comment etc. In such scenario we can use ValidateInput action filter to allow user to post HTML content and to bypass request validation for specific action method.

Attribute Usage: Controller & method

Sample Code:

[ValidateInput(false)]
public ActionResult PostComment(string comment)
{
    return View();
}

Once we apply ValidateInput with false as displayed in above code snippet, request validation will not fire for this action method. But in such scenario we must ensure that we apply our custom logic to avoid any malicious user input.

Check out ASP.NET MVC: Action filter series post to read about other available action filters.

You can follow me on twitter for latest link and update on ASP.NET & MVC.

comments powered by Disqus

Disclaimer

This is my personal blog. I have shared my learning experience with community. Any opinions expressed herein are my personal and not of any organization or my current or previous employer.

Nandip Makwana

Featured Content

Resources & Tools

About Nandip Makwana

Nandip Makwana is passionate about digital world and web. He completed his Masters in Computer Application in June 2011. Currently he is working as a Software Engineer. He has shown great promise and command over ASP.NET and technologies surrounding it during his academic years and professorial life...continue reading