Why we use ValidateInput(false) ?
Ans: ValidateInput(false) attribute is used to allow sending HTML content or codes to the server which by default is disabled by ASP.Net MVC to avoid XSS (Cross-Site Scripting) attacks.
Note: Mainly we use check editor then we find this type error.
->So , basically to prevent from cross-scripting attack.
ValidateInput and AllowHTML are directly connected with XSS security issues.
So let us first try to understand XSS.
ValidateInput and AllowHTML are directly connected with XSS security issues.
So let us first try to understand XSS.
XSS (cross-site scripting) is a security attack where the attacker injects malicious code while doing data entry. Now the good news is that XSS is by default prevented in MVC. So if any one tries to post JavaScript or HTML code he lands with the below error.
It shows the error
Server Error in '/' Application
A potentially dangerous Request.From value was detected from the
client (ProductDescription = "<b>test</b>").
How to write?
******************************
[ValidateInput(false)]
public ActionResult PostProduct(Product obj)
{
return View(obj);
}
******************************
Ans: ValidateInput(false) attribute is used to allow sending HTML content or codes to the server which by default is disabled by ASP.Net MVC to avoid XSS (Cross-Site Scripting) attacks.
Note: Mainly we use check editor then we find this type error.
->So , basically to prevent from cross-scripting attack.
ValidateInput and AllowHTML are directly connected with XSS security issues.
So let us first try to understand XSS.
ValidateInput and AllowHTML are directly connected with XSS security issues.
So let us first try to understand XSS.
XSS (cross-site scripting) is a security attack where the attacker injects malicious code while doing data entry. Now the good news is that XSS is by default prevented in MVC. So if any one tries to post JavaScript or HTML code he lands with the below error.
It shows the error
Server Error in '/' Application
A potentially dangerous Request.From value was detected from the
client (ProductDescription = "<b>test</b>").
How to write?
******************************
[ValidateInput(false)]
public ActionResult PostProduct(Product obj)
{
return View(obj);
}
******************************
No comments:
Post a Comment