AllowHtml Attribute in ASP.NET MVC 3

最新推荐文章于 2024-10-01 22:49:57 发布

weixin_33829657

最新推荐文章于 2024-10-01 22:49:57 发布

阅读量90

点赞数

文章标签：测试

原文链接：http://blog.51cto.com/kebin/490050

版权

If you are learning ASP.NET MVC 3 or curious as to the new features in ASP.NET MVC 3, you can check out my list of ASP.NET MVC 3 Tutorials.

A Potentially Dangerous Request.Form Value was Detected From The Client

Let's say we are creating a simple form in our ASP.NET MVC 3 web application and there is a Body field on the form where we want to allow HTML Tags.

ASP.NET MVC 3 Form

If we do not disable request validation in some manner for this Body field, we will get the dreaded error - A potentially dangerous Request.Form value was detected from the client (Body = "<br>").

A potentially dangerous Request.Form value

Request validation is a good thing since it keeps people from injecting script tags in our application for Cross-Site Scripting ( XSS ) attacks. However, in this case we want to disable request validation on the Body Field so we can put HTML in the body of our blog posts.

ValidateInput Attribute

In ASP.NET MVC 2 we used the ValidateInput Attribute on the action to disable request validation for the entire request ( See ValidateInput Attribute in ASP.NET MVC - Potentially Dangerous Request.Form Values ).

ValidateInputAttribute

The downfall of this approach is that the ValidateInputAttribute disables request validation on all model properties, and we just want to disable request validation on a single property, called Body.

AllowHtmlAttribute in ASP.NET MVC 3

In ASP.NET MVC 3 we now have a property attribute that we can include on model properties to disable request validation on a property by property basis, called AllowHtmlAttribute. Instead of using the ValidateInputAttribute on the action, we turn off request validation just on Body by adding the [AllowHtml] Attribute to it:

AlowHtmlAttribute

This allows HTML for the Body Property, but does not allow HTML for the Title Property, which is what we want.

[Note: Briefly in ASP.NET MVC 3, before it was released, there existed a SkipRequestValidationAttribute. It no longer exists and has been renamed to AllowHtmlAttribute.]

Conclusion

Unless you want request validation disabled for the entire request, I recommend using the AllowHtmlAttribute instead of the ValidateInputAttribute when migrating your web applications from ASP.NET MVC 2 to ASP.NET MVC 3.

Learn more about new ASP.NET MVC 3 features. Check out ASP.NET MVC Books.

Hope this helps.

David Hayden

转载于:https://blog.51cto.com/kebin/490050