Am I missing something or asp.net core allows to post script tag in user text fields? In Previous versions of asp.net mvc I needed to allow it by [AllowHtml] attribute.
Is there a way how enable validation agains potentially dangerous values?
I'm free to submit value like
<script src='http://test.com/hack.js'></script>
during form post.
Model:
using System.ComponentModel.DataAnnotations;
namespace Test.Models
{ public class TestModel { [MaxLength(500)] public string Content { get; set; } }
}
Controller:
using Microsoft.AspNetCore.Mvc;
using Test.Models;
namespace Test.Controllers
{ public class HomeController : Controller { public IActionResult Index() { var model = new TestModel { Content = "Test" }; return View(); } [HttpPost] public IActionResult Index(TestModel model) { if(!ModelState.IsValid) return View(model); return Content("Success"); } }
}
View:
@model TestModel
<form asp-action="Index" asp-controller="Home" method="post"> <div asp-validation-summary="All"></div> <label asp-for="Content">Content<strong>*</strong></label> <span asp-validation-for="Content"></span> <input asp-for="Content" type="text" /> </div>
</form>