How to mark a form to not validate the input data for any HTML or script content?
To mark an action method that accepts HTML or scripts data as well, we can decorate that with
[ValidateRequest(false)]
attribute.
CONTROLLER ACTION METHOD
// try entering html content in the multi area textbox when it is false [ValidateInput(false)] [HttpPost] public ActionResult DoNotValidateInput(FormCollection form) { var data = form["txt"]; return Content(data); }
Notice the above
ValidateInput
attribute in the action method.
VIEW
<h2>Do Not Validate Input</h2> @using (Html.BeginForm()) { <textarea id="txt" name="txt" rows="10" cols="50"></textarea> <input type="submit" value="Submit" /> }
The above form will accepts HTML and other script content too apart from normal textual content as shown in the picture below.
If we remove the
[ValidateInput(false)]
attribute from the above action method and submit the same above form, it throws below error (A potential dangerous Request.Form value was detected).
No comments:
Post a Comment