Home/ Questions/Q 8605199
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-12T02:46:02+00:00

I have an ASP.NET MVC 4 project in which I use an HTML input

  • 0

I have an ASP.NET MVC 4 project in which I use an HTML input element in a View. The value of this element is sent to the server via a JQuery post call. I’m not using any Razor syntax, and I haven’t manually added any special code to the Controller action.

When I set one of the post parameters to HTML code, the call will fail, returning a 500 Internal Server Error. My question is, in order to help prevent XSS attacks, does JQuery terminate the call on the fly or is it ASP.NET MVC? Second, how would I turn off this feature?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    does JQuery terminate the call on the fly or is it ASP.NET MVC?

    None of them. It’s the ASP.NET engine. This feature was present in ASP.NET much before ASP.NET MVC even existed and since ASP.NET MVC is built on top of ASP.NET it inherited it.

    Second, how would I turn off this feature?

    By decorating the view model property you are binding to this value with the [AllowHtml] attribute:

    public class MyViewModel
{
    [AllowHtml]
    public string Html { get; set; }
}

    And now you could have the following controller action:

    [HttpPost]
public ActionResult SomeAction(MyViewModel model)
{
    ...
}

    that you are invoking with jQuery.ajax and sending arbitrary HTML contents:

    $.ajax({
    url: '@Url.Action("SomeAction")',
    type: 'POST',
    data: { html: '<div>Hello World</div>' },
    success: function(result) {

    }
});

    Obviously by doing this you fully acknowledge the fact that the user can send any arbitrary HTML, including scripts and all dangerous stuff to your site. So to prevent XSS attacks make sure that you have properly encoded this value before displaying it back in some page.

    • 0