ValidateInput Attribute in ASP.NET MVC

Back to: ASP.NET MVC Tutorial

ValidateInput Attribute in ASP.NET MVC Application

In this article, I am going to discuss the ValidateInput Attribute in ASP.NET MVC Application. Please read our previous article where we discussed How To Create Custom OutputCache Attribute in MVC Application.

What is ValidateInput Attribute in ASP.NET MVC?

The ValidateInput Attribute in MVC is used to allow sending HTML content or codes to the server which is by default disabled by ASP.NET MVC Framework to avoid XSS (Cross-Site Scripting) attacks. This attribute is used to enable or disable request validation. By default, request validation is enabled in ASP.NET MVC Framework.

Example: ValidateInput Attribute in ASP.NET MVC

Let’s understand ValidateInput Attribute in ASP.NET MVC Application with an example.

Step1: Create a new ASP.NET MVC 5 application using the Empty template. Open Visual Studio and create a New Project. Select File => New => Project option as shown in the below image.

Creating new MVC Project

After clicking on the “Project” link a new dialog will pop up. In that we are going to select web templates from the left pane after selecting the web template, we find only one project template in its “ASP.NET Web Application” just select that. After selecting the project template next we are going to name the project “validateInputinMVC” and clicking on the OK button as shown in the below image.

ValidateInput Attribute in ASP.NET MVC Application

Once you click on the OK button a new dialog will pop up with the Name “New ASP.NET Project” for selecting project Templates. In this dialog, we are going to choose the Empty project template and then we are choosing the MVC checkbox and click on the OK button as shown in the below image.

ValidateInput Attribute in MVC

Once you click on the OK button. it will take some to time create the project for us with the following file and folder structure.

Folder Structure of ValidateInput Attribute Application

Step2: Add a HomeController.

Right-click on the Controllers folder and select controller which will open a pop-up for adding the controller. Here, select “MVC 5 Controller – Empty” and click on the Add button as shown in the below image.

Creating MVC 5 Empty Controller

Once you click on the Add button, it will open a new pop-up for proving the controller name. Here, provide the controller name as Home and click on the Add button as shown in the below image.

ValidateInput Attribute in ASP.NET MVC Application

Once you click on the Add button, it will add the HomeController. Then copy and paste the following code within the HomeController.

public class HomeController : Controller
{
    public ActionResult Index()
    {
        return View();
    }

    [HttpPost]
    public string Index(string comments)
    {
        return "Your Comments: " + comments;
    }
}
Step3: Add Index.cshtml view.

Right-click on the Index action method and select Add View which will open a pop-up as shown in the below image. Here, we are going with the default values and click on the Add button.

Adding Index View

Once you click on the Add button, it will create the Index.cshtml view. Copy and paste the following code into it.

@{
    ViewBag.Title = "Index";
    Layout = null;
}
<div style="font-family: Arial">
    @using (Html.BeginForm())
    {
        <b>Comments:</b> 
        <br/>
        @Html.TextArea("comments")
        <br/>
        <br/>
        <input type="submit" value="submit"/>
    }
</div>

Step4: Run the application and navigate to /Home/Index. Type the text <b>Welcome</b> in the “Comments” textbox and click “Submit” as shown in the below image.

ValidateInput Attribute in ASP.NET MVC Application

Notice that, we get the following error – 

What is ValidateInput Attribute in ASP.NET MVC

This is because, by default, request validation is turned on in ASP.NET MVC Application and does not allow you to submit any HTML, to prevent XSS (Cross-site scripting attacks). However, in some cases, we may want the user to be able to submit HTML tags like <b>,<u>, etc. For this to happen, we need to turn off request validation, by decorating the action method with the ValidateInput attribute and set the value as false as shown in the below code.

namespace validateInputinMVC.Controllers
{
    public class HomeController : Controller
    {
        public ActionResult Index()
        {
            return View();
        }
        [HttpPost]
        [ValidateInput(false)]
        public string Index(string comments)
        {
            return "Your Comments: " + comments;
        }
    }
}

At this point, we should be able to submit comments, with HTML tags in them. In the next article, I am going to discuss the RequireHttps Attribute in ASP.NET MVC Application. Here, in this article, I try to explain the ValidateInput Attribute in ASP.NET MVC application with Examples. I hope this ValidateInput Attribute in MVC article will help you with your need. I would like to have your feedback. Please post your feedback, question, or comments about this ValidateInput Attribute in MVC article.