Menu
I have the following header of ASP.Net MVC page:
<%@ Page Title="" Language="C#" MasterPageFile="~/Views/Shared/Admin.Master" Inherits="System.Web.Mvc.ViewPage<NEOGOV_Ideas.Models.SubIdeaAdminPage>"
ValidateRequest="false" %>
I need to move this page to Razor syntax. How should I set ValidateRequest? Thanks
492
Razor syntax is a simple programming syntax for embedding server-based code in a web page. In a web page that uses the Razor syntax, there are two kinds of content: client content and server code.
As you know, ValidateRequest is a security feature which has been available since . NET Framework 2.0 in WebForms. This feature prevents users from entering html content in input fields to keep the application away from different kind of XSS injection attacks.
Comments Razor View Engine has two types of comments, one is single-line and another is multiline. Razor uses the syntax "@* .. *@" for the comment block but in a C# code block we can also use "/* */" or "//".
You can write multiple lines of server-side code enclosed in braces @{ ... } . Each line must ends with a semicolon the same as C#.
Decorate your action method with ValidateInput attribute
[HttpPost]
[ValidateInput(false)]
public ActionResult index()
{
return view();
}
You shouldn't need that line in the view, instead use the ValidateInput(false) attribute on the controller method.
Make sure you've got this in your web.config if you're using ASP .net 4.0 (which I presume you are if you're using MVC 3)
<httpRuntime requestValidationMode="2.0"/>
Martin
24
From MVC 4 we can allow html content only for property of model class, not for the whole request. Just need to mark property by attribute AllowHtml
public class EditorialPixlocateRequestViewModel
{
[AllowHtml]
public string Xml { get; set; }
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With