The AllowHtml attribute is used to allow a request to sending HTML/JavaScript codes to server which be applied to a Model property to disable the validation.
The AllowHtml attribute is developed for View Model class with limited Scope and its safe and recommended solution to prevent Cross Site Scripting (XSS) attacks in ASP.NET MVC Apps.
In ASP.Net MVC Project, follow the below steps and prevent the XSS Attacks -
//Steps 1
//Add the following attribute the post action in the controller that you want to allow HTML.
[ValidateInput(false)]
//Steps 2
//AllowHtml attribute is developed for Customer View Model Class.
public class CustomerViewModel
{
[Display(Name = "Email")]
public string Email { get; set; }
[AllowHtml]
public string Name { get; set; }
[AllowHtml]
[Display(Name = "Description")]
public string Description { get; set; }
}
//Steps 3
//HTML View
@model PreventXSSAttacks.Models.CustomerViewModel
@{
ViewBag.Title = "Add Customer";
}
h2>@ViewBag.Title.h2>
@using (Html.BeginForm("Create", "Customer", FormMethod.Post, new { @class = "form-horizontal", role = "form" }))
{
@Html.AntiForgeryToken()
h4>Create a new account.h4>
hr />
@Html.ValidationSummary("", new { @class = "text-danger" })
div class="form-group">
@Html.LabelFor(m => m.Email, new { @class = "col-md-2 control-label" })
div class="col-md-10">
@Html.TextBoxFor(m => m.Email, new { @class = "form-control" })
div>
div>
div class="form-group">
@Html.LabelFor(m => m.Name, new { @class = "col-md-2 control-label" })
div class="col-md-10">
@Html.TextBoxFor(m => m.Name, new { @class = "form-control" })
div>