MVC c# prevent xss

Question

I have a simple email form on my site with mvc c#.

If i added into the text box alert("test") I get the below exception:

A potentially dangerous Request.Form value was detected from the client (Message="<script>alert("test"...").

I dont want a user to be able to insert javascript. I need for html encode i would i do this on this field

 @Html.TextAreaFor(model => model.Message, new { @style = "width:800px;height:300px;" })

possible duplicate of [A potentially dangerous Request.Form value was detected](http://stackoverflow.com/questions/5937127/a-potentially-dangerous-request-form-value-was-detected) — Peter, Feb 05 '15 at 07:54

score 2 · Answer 1 · edited May 23 '17 at 12:02

Option 1: look at the accepted answer at: HTML-encoding lost when attribute read from input field

Option 2: Put the [AllowHtml] attribute on the model item that binds to this textbox and that will let the value into your controller where you can use HtmlEncode.

Option 3: Put the [ValidateInput(false)] attribute on your controller action, this lets everything through no matter what and then you can do your own custom validation for everything

score 0 · Answer 2 · answered Nov 08 '13 at 12:09

0

Use System.Web.HttpUtility.HtmlEncode to encode all user input and avoid XSS atacks.

answered Nov 08 '13 at 12:09

Oscar

13,056
8
43
69

how do i add this to the control though @Html.TextAreaFor – Matthew Chambers Nov 08 '13 at 12:11

MVC c# prevent xss

2 Answers2