0

Please bare with my ignorance for now as I have just started learning web related programming. So, I have a web project written in MVC that has a login window with Username textbox bound to a property: 

@Html.TextBoxFor(model => model.UserName, new {@placeholder = "Username"})

As I understand, Razor automatically html encodes input to help preventing cross-script attacks. However, when I test username with a javascript I get an exception from MVC:

A potentially dangerous Request.Form value was detected from the client (UserName="...hp?name_1=code

Which makes me think that the input is NOT html encoded. My idea was to resolve this issue with html encoding/decoding but looks like I am not getting this whole idea right. Could someone explain?

NOTE: one of SO's related posts provides an unsecured solution but it is not an option for me to simply allow html.

Improve this question

1 Answer 1

Reset to default
0

It is not HTML encoded, that is correct. You will have to do the HTML encoding in the Action that form posts back to.

Also, you will need to add [ValidateInput(false)] attribute just about your action.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.