ASP.NET MVC: ValidateInput action filter
In ASP.NET MVC, by default all user posted data (i.e. query string params, form element, etc.) are validated for any potential dangerous content (i.e. HTML tag or script) to avoid XSS attacks. But sometime we need to accept such HTML content from user. For e.g. for blog application developed in MVC must allow publisher to post HTML content or sometime we allow user to post HTML comment etc. In such scenario we can use ValidateInput action filter to allow user to post HTML content and to bypass request validation for specific action method.
Attribute Usage: Controller & method
Sample Code:
[ValidateInput(false)]
public ActionResult PostComment(string comment)
{
return View();
}
Once we apply ValidateInput with false as displayed in above code snippet, request validation will not fire for this action method. But in such scenario we must ensure that we apply our custom logic to avoid any malicious user input.
Check out ASP.NET MVC: Action filter series post to read about other available action filters.
You can follow me on twitter for latest link and update on ASP.NET & MVC.