Martin Martin - 10 months ago 134
C# Question

Enable core request validation

Am I missing something or core allows to post script tag in user text fields? In Previous versions of mvc I needed to allow it by [AllowHtml] attribute.

Is there a way how enable validation agains potentially dangerous values?

I'm free to submit value like

<script src=''></script>

during form post.


using System.ComponentModel.DataAnnotations;

namespace Test.Models
public class TestModel
public string Content { get; set; }


using Microsoft.AspNetCore.Mvc;
using Test.Models;

namespace Test.Controllers
public class HomeController : Controller
public IActionResult Index()
var model = new TestModel { Content = "Test" };
return View();

public IActionResult Index(TestModel model)
return View(model);

return Content("Success");


@model TestModel

<form asp-action="Index" asp-controller="Home" method="post">
<div asp-validation-summary="All"></div>
<label asp-for="Content">Content<strong>*</strong></label>
<span asp-validation-for="Content"></span>
<input asp-for="Content" type="text" />


Currently ASP.NET Core 1.0 seems not have a feature similar to Request validation. For more information see the discussion on the ASP.NET Core issue 'Default middleware for request validation, like IIS has'.

That means that validation has to take place on the inbound model. And that in the Razor (.cshtml) you should output user provided input like @Model.Content, which encodes the given string(< is written as <).

Please bear in mind that those escaping techniques might not work when the text that was output is not inside a Html part.

So don't use @Html.Raw(..) unless you know that the data provided has been sanitized.


  • You might want to consider a Web Application Firewall (WAF) for a generic protection against malicious requests (e.g. XSS or SQL Injection).
  • For protecting your users against an XSS attack you might also have a look at providing a Content Security Policy (CSP).