Validate Input and Allow Html

by Sachin Singh


Posted on Sunday, 05 April 2020

Tags: MVC MVC html content MVC Validate Input Validate Input ValidateInput and AllowHtml attribute difference between validateinput and allowhtml in mvc XSS attack in MVC

Whenever we allow users for data entry there is a chance of an XSS attack.XSS stands for cross-site scripting, it is a security attack where the attacker injects malicious code like JavaScript code or HTML code instead of simply entering what is asked for.

In Asp.Net MVC there is a default mechanism to avoid XSS attack. But in specific situations, we want users to enter Html like in Html editor or code editor, but for MVC there is no way to differentiate between a mistake and wish. So Asp.Net MVC provides Validate Input and Allow Html that let the MVC framework know that it is the developer's wish and he wants the framework to avoid XSS check.

Now let's create a form and try to enter HTML in input fields and let's see what happens. Before creating a form, first, create a model class with some properties like below. The model will be used in the Action method as a parameter to catch the input values.


   public class Question
    {
        public string UserName { get; set; }
        public string Question { get; set; }
        public string  Answer { get; set; }
     }

Now create two action method one for returning view (Data Entry Screen) and second for saving form's values into database.


       public ActionResult QuestionEntryScreen()
        {
            return View();
        }

        public void Save(Question que)
        {
            //code to insert into database.
        }

Also create the Question Entry screen like below.


        
  @{
    Layout = null;
    }

  <!DOCTYPE html>

  <html>
  <head>
    <meta name="viewport" content="width=device-width" />
    <title>QuestionEntryScreen</title>
  </head>
  <body>
    <div> 
        <form action="/XSS/Save" method="post">
            <table>
                <tr>
                    <td>@Html.Label("Enter your Name")</td>
                    <td>@Html.TextBox("UserName")</td>
                </tr>
                <tr>
                    <td>@Html.Label("Enter Question")</td>
                    <td>@Html.TextBox("Ques")</td>
                </tr>
                <tr>
                    <td>@Html.Label("Enter Answer")</td>
                    <td>@Html.TextArea("Answer", new { @column = "10" })</td>
                </tr>
                <tr>

                    <td colspan="2"><button type="submit">Save</button></td>
                 </tr>
             </table>
         </form>
     </div>
    </body>
    </html>

Now run the application and try to enter some html code into Answer textarea and click save.You will get the following error.

XSS attack
XSS Attack
XSS attack error
Error due to XSS

As you can see MVC framework doesn't allow the user to enter html. In order to avoid XSS security we have two options available in Asp.Net MVC.

  • ValidateInput(false) attribute which can be applied over the Action Method.
  • AllowHtml attribute which can be applied over the model property.

Lets mark our Save Method with ValidateInput(false) attribute and try to enter html code from Question entry screen.

ValidateInput attribute
ValidateInput attribute

you can see after marking the action method with ValidateInput(false) attribute we are able to post html code from answer textarea and we are not getting any security error.

ValidateInput attribute is good but not great. if gun can do the job then why are you using bomb. Meaning we only want the user to enter Html into Answer textarea input but now, he is able to post html or JavaScript from other input fields as well.

So, if we want to skip XSS security check only for Answer field then it is better to tell Asp.Net MVC framework to skip XSS security check for this very field only and not for all. And this is where we use AllowHtml attribute.


     public class Question
     {
        public string UserName { get; set; }
        public string Ques { get; set; }
        [AllowHtml]
        public string  Answer { get; set; }
      }

Now remove ValidateInput from Save Action Method run the application and enter some html into Answer TextArea input and click save.

AllowHtml attribute
AllowHtml attribute result

You can see,we are still able to post Html from answer textarea input, but not for other fields.This is all about AllowHtml attribute and ValidateInput attribute.