Beware of Validateinputattribute in ASP. NET MVC

Recently, when I was working on an ASP. NET MVC project, it was discovered that a controller's action was not able to receive HTML form requests and data submitted from the client, and was later discovered because the default is ASP. MVC performs security validation on the data that the client submits to the server before executing the controller's code. If ASP. NET detects that the data submitted by the client has dangerous data (dangerous data is usually some keywords and key symbols), then the current client commits the request and throws an exception, then the data submitted by the client will not enter the controller and the action naturally. The main reason is that there are pages in the project that use a rich text editor, and the text that the user enters in the rich text editor is actually HTML, so when the rich Text Editor's data is submitted to the server side, ASP. NET considers that the data submitted by the client contains a large number of HTML tags that are dangerous data, the request is terminated directly, and then an exception is thrown. In fact, this problem is not only in ASP. NET MVC, there is data security validation in WebForm, and the MVC and WebForm data security verification can be set to close, the details please look down.

Later, it turns out that in ASP. NET MVC, a filter called Validateinputattribute can turn off data security validation and add it to the action that receives the data, and the client Rich Text Editor's data can be successfully passed to the action. False to pass in the parameter as shown below tells ASP. Do not verify data security for this action.

Here is an introduction to some of the commonly used filter methods for the MVC system, including Validateinputattribute

name	description
outputcacheattribute 	similar to the Web form OutputCache instructions. The OutputCache property allows output from the MVC Framework cache controller.
validateinputattribute 	similar to The ValidateRequest property in Web form. By default, the MVC framework will enter incoming HTTP requests for checking HTML or other dangers. If detected, an exception is thrown. Use this property to disable request validation.
authorizeattribute	authorize property, A declarative authorization check that can be done on the controller. This property can restrict the actions of users in a particular role. You can use this property when you create an action that should only be given to users in the Administrator role. The default use of the ASP. Membership service, if you do not use the ASP. Membership service, you can inherit authorizeattribute, overriding the implementation.
Validateantiforgerytokenattribute	This attribute is a solution to help prevent cross-site request attacks (CSRF). It allows authentication of the HTTP POST for user-specific markup in the Framework. For more information csrfs, see " using the ASP. AntiForgeryToken () helper to prevent cross-site request forgery (CSFR)."

Beware of Validateinputattribute in ASP. NET MVC