The AllowHtml attribute is used to allow a request to sending HTML/JavaScript codes to server which be applied to a Model property to disable the validation.
The AllowHtml attribute is developed for View Model class with limited Scope and its safe and recommended solution to prevent Cross Site Scripting (XSS) attacks in ASP.NET MVC Apps.
In ASP.Net MVC Project, follow the below steps and prevent the XSS Attacks -
//Steps 1
//Add the following attribute the post action in the controller that you want to allow HTML.
[ValidateInput(false)]
//Steps 2
//AllowHtml attribute is developed for Customer View Model Class.
public class CustomerViewModel
{
[Display(Name = "Email")]
public string Email { get; set; }
[AllowHtml]
public string Name { get; set; }
[AllowHtml]
[Display(Name = "Description")]
public string Description { get; set; }
}
//Steps 3
//HTML View
@model PreventXSSAttacks.Models.CustomerViewModel
@{
ViewBag.Title = "Add Customer";
}
h2>@ViewBag.Title.h2>
@using (Html.BeginForm("Create", "Customer", FormMethod.Post, new { @class = "form-horizontal", role = "form" }))
{
@Html.AntiForgeryToken()
h4>Create a new account.h4>
hr />
@Html.ValidationSummary("", new { @class = "text-danger" })
div class="form-group">
@Html.LabelFor(m => m.Email, new { @class = "col-md-2 control-label" })
div class="col-md-10">
@Html.TextBoxFor(m => m.Email, new { @class = "form-control" })
div>
div>
div class="form-group">
@Html.LabelFor(m => m.Name, new { @class = "col-md-2 control-label" })
div class="col-md-10">
@Html.TextBoxFor(m => m.Name, new { @class = "form-control" })
div>
This post first appeared on Angular 2 JavaScript ASP.Net C# SQL Server KnockoutJs AngularJs Kendo UI HTML 5 Web API WPF WCF Etc., please read the originial post: here
