The AllowHtml attribute is used to allow a request to sending HTML/JavaScript codes to server which be applied to a Model property to disable the validation.
The AllowHtml attribute is developed for View Model class with limited Scope and its safe and recommended solution to prevent Cross Site Scripting (XSS) attacks in ASP.NET MVC Apps.
In ASP.Net MVC Project, follow the below steps and prevent the XSS Attacks -
//Steps 1
//Add the following attribute the post action in the controller that you want to allow HTML.
[ValidateInput(false)]
//Steps 2
//AllowHtml attribute is developed for Customer View Model class.
public class CustomerViewModel
{
[Display(Name = "Email")]
public string Email { get; set; }
[AllowHtml]
public string Name { get; set; }
[AllowHtml]
[Display(Name = "Description")]
public string Description { get; set; }
}
//Steps 3
//HTML View
@model PreventXSSAttacks.Models.CustomerViewModel
@{
ViewBag.Title = "Add Customer";
}
<h2>@ViewBag.Title.</h2>
@using (Html.BeginForm("Create", "Customer", FormMethod.Post, new { @class = "form-horizontal", role = "form" }))
{
@Html.AntiForgeryToken()
<h4>Create a new account.</h4>
<hr />
@Html.ValidationSummary("", new { @class = "text-danger" })
<div class="form-group">
@Html.LabelFor(m => m.Email, new { @class = "col-md-2 control-label" })
<div class="col-md-10">
@Html.TextBoxFor(m => m.Email, new { @class = "form-control" })
</div>
</div>
<div class="form-group">
@Html.LabelFor(m => m.Name, new { @class = "col-md-2 control-label" })
<div class="col-md-10">
@Html.TextBoxFor(m => m.Name, new { @class = "form-control" })
</div>
</div>
<div class="form-group">
@Html.LabelFor(m => m.Description, new { @class = "col-md-2 control-label" })
<div class="col-md-10">
@Html.TextBoxFor(m => m.Description, new { @class = "form-control" })
</div>
</div>
<div class="form-group">
<div class="col-md-offset-2 col-md-10">
<input type="submit" class="btn btn-default" value="Add Customer" />
</div>
</div>
}
//Steps 4
//Customer controller’s Action.
[ValidateAntiForgeryToken]
[ValidateInput(false)]
public ActionResult Create(CustomerViewModel customer)
{
if (ModelState.IsValid)
{
StringBuilder sb = new StringBuilder();
sb.Append(HttpUtility.HtmlEncode(customer.Description));
sb.Replace("/&/g", "&");
sb.Replace("/</g", "<");
sb.Replace("/>/g", ">");
sb.Replace("/\"/g", """);
sb.Replace("/\'/g", "'");
if (sb.Length > 0)
{
customer.Description = HttpUtility.HtmlEncode(sb.ToString());
return _custRepot.InsertCustomer(customer);
}
}
return View(customer);
}
Also, In your web.config set the validation mode –
<httpRuntime targetFramework="4.5.1" requestValidationMode="2.0" />
I hope you are enjoying with this post! Please share with you friends. Thank you so much!
|
Anil Singh is an author, tech blogger, and software programmer. Book writing, tech blogging is something do extra and Anil love doing it. For more detail, kindly refer to this link..
|