Wednesday, 30 December 2015

Validate Input & AllowHtml attribute .Net MVC

When you develop an app, sometimes your requirements could be you want to send HTML values (for example <h2>Hello World</h2>) from the view to the controller. Sometimes we use HTML Editors, to save some info into the database. By default ASP.NET MVC doesn't allow a user to submit the HTML content.

So let's see how to submit your form with HTML content.
  1. Open Visual Studio then select "New Project" then select "ASP.NET MVC 4 Application".

  1. Provide a project name then click "OK".
  2. Select "Internet Application" then click "OK"

  1. Create a New Model.

    using System;
    using System.Collections.Generic;
    using System.Linq;
    using System.Web;
    using System.Web.Mvc;

    namespace ValidateInputDemo.Models
        public class ValidateModel
            public string description { getset; }
  2. Add a new method to your Controller.

    public ActionResult ValidateInput()
    return View();
    HttpPost]public ActionResult  ValidateInput(string description)
    ValidateModel validateInputModel = new ValidateModel();
        validateInputModel.description = description;
    return View(validateInputModel);
    @model ValidateInputDemo.Models.ValidateModel
           ViewBag.Title = "ValidateInput";
    @using (@Html.BeginForm("ValidateInput","Home"FormMethod.Post, new { @id = "form1", @enctype ="multipart/form-data" }))
        <label id="lblDescription">Description</label>
         @Html.TextAreaFor(m=>m.description, new {@id="txtDescription",@name="description" })
        <input type="submit" id="bttn_Submit" />
You can see in the code above, there is a text area and a submit button, have a look in the browser. Press F5. 

You can see in the preceding screen, if you type something into the description and press Submit then  nothing happens.

Now check the following example. Add HTML content into text area.

Now press the "Submit" button.

You will get the error above. This error comes because this is the security from ASP.NET MVC. For applications, a user cannot send HTML values to the controller, but sometimes we want to send values to the controller.

For resolving this issue we have the ValidateInput(false) attribute.

Just put this into your controller and have a look.
public ActionResult  ValidateInput(string description)
   ValidateModel validateInputModel = new ValidateModel();
   validateInputModel.description = description;
   return View(validateInputModel);
Now press F5. After filling in the HTML attribute press the submit button, you will never get an error. So when you want to work with HTML attributes in your app text area or textboxes, don't forget to use validateinpute(false) in your ActionMethod.

Limitation of ValidateInput attribute
This attribute also has the issue since this allow the Html input for all the properties and that is unsafe. Since you have enable Html input for only one-two properties then how to do this. To allow Html input for a single property, you should use AllowHtml attribute.

AllowHtml Attribute
This is the best way to allow the submission of HTML for a particular property. This attribute will be added to the property of a model to bypass input validation for that property only. This explicit declaration is more secure than the ValidateInput attribute.

using System.ComponentModel.DataAnnotations;
using System.Web.Mvc;

public class BlogModel
 [Display(Name = "Title")]
 public string Title { get; set; }

 [Display(Name = "Description")]
 public string Description{ get; set; }

Make sure, you have removed the ValidateInput attribute from Conroller or Action method. Now, the user can submit Html only for the Description property successfully.

1 comment:


ADFS (1) ADO .Net (2) Ajax (1) Angular (1) Angular Js (17) Angular2 (28) ASP .Net (14) Authentication (1) Azure (1) Breeze.js (1) C# (50) CD (1) CI (2) CloudComputing (1) CMS (1) CSS (2) Design_Pattern (3) DevOps (4) DI (4) Dotnet (22) Entity Framework (3) ExpressJS (4) Html (3) IIS (1) Javascript (6) Jquery (8) Lamda (3) Linq (11) Mongodb (1) MVC (50) NodeJS (7) RDLC (1) Report (1) SDLC (1) Sql Server (30) SSIS (3) SSO (1) SSRS (2) UI (1) WCF (13) Web Api (11) Web Service (1) XMl (1)