How to allow user to input html in ASP.NET MVC?
By | August 24, 2011

Whenever we submit HTML or JavaScript as input in ASP.NET MVC application we get an exception like "A potentially dangerous Request.Form value was detected from the client (……)”. Because ASP.NET MVC has built-in request validation that helps you automatically protect against cross-site scripting (XSS) attacks and HTML injection attacks, it will prevent the user from posting HTML or JavaScript as input.

But sometime we want to explicitly disable request validation. We want to allow user to post html as input like, for example we have view which take the blog post as input from rich text editor, In ASP.NET MVC we have multiple options to disable request validation at various levels.

In ASP.NET MVC (V1, V2, V3) we can use [ValidateInput(false)] attribute, to disable request validation during model binding. We should add this attribute on top the action method in controller to which you are submitting input.

blogpost thumb How to allow user to input html in ASP.NET MVC?

[ValidateInput(false)] attribute disables request validation on complete model or view model, but we want to allow html on only few properties of model or view model, for example in BlogPost model class contains three properties Title, PostContent, List<Tag> .

Among three properties we want to allow html only for PostContent ,In ASP.NET MVC 3 we have granular control over request validation, ASP.NET MVC3 has built-in attribute to disable validation at property level. We can [AllowHtml] attribute on properties in model or view model to disable request validation.

blog thumb How to allow user to input html in ASP.NET MVC?

[AllowHtml] attribute allows a request to include HTML markup during model binding by skipping request validation for the property.

Category: ASP.NET MVC Tags:

About The Author

Sharavan Kumar Kasagoni

Shravan is working as Software Engineer in Thomson Reuters, Microsoft MVP for ASP.NET & IIS. Programming is his passion. He is core member of Microsoft User Group Hyderabad. In his overall experience of 5+ years, his expertise includes ASP.NET MVC, ASP.NET, Object Oriented Designing. He build few crazy products using Microsoft technologies, open standards for next generation web & mobile. Shravan's Blog: http://theshravan.net/blog Follow Shravan @ Twitter: @techieshravan