2

i have a login view in asp.net-mvc. i want that user cannot able to enter tag in username or password field

Improve this question
3
  • Why? What kind of tags? My password can be <password>... Commented Jun 1, 2010 at 14:02
  • thats why i want any solution in which user can input any character, but default if i enter <scipt> tag in username it just blast and yellow screen comes Commented Jun 1, 2010 at 14:05
  • Fraz your questions says the opposite, you should correct the question title and text, maybe changing prevent for allow, and user cannot for the users are Commented Jun 1, 2010 at 19:30

2 Answers 2

Reset to default
4

Why would you want preventing the user from entering tags? Leave him enter whatever he wants. Why preventing someone from having a password such as <script>alert('hello');</script> - it looks like a pretty strong password. Personally I hate web sites limiting my choices for a password.

Just make sure that you encode everything you are outputting inside the views:

So instead of:

<div>Hello <%= Model.Username %></div>

Always use:

<div>Hello <%= Html.Encode(Model.Username) %></div>

or: 

<div>Hello <%: Model.Username %></div>

if you are working with ASP.NET 4.0

Also, as pointed out by @Jab in the comments section, in order to accept such input from the user you might need to decorate the controller action that will handle the submission with the [ValidateInput(false)] attribute.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

To accept input of <script> tags you will have to use [ValidateInput(false)] on any screen where the user inputs the password. Otherwise you get the YSOD.
Html.Encode(Model.UserName) is working fine when im trying to display UserName but whenever a user try to login and enter <script>alert("asdf")</script> in username textbox yellow screen comes which says "A potentially dangerous Request.Form value was detected from the client (username="<script>alert("asdf"...")" I have try [ValidateInput(false)] but it doesnt work
You need to put it on the controller action to which you are posting: davidhayden.com/blog/dave/archive/2009/04/08/…
Thanks Darin but i have tried this and its not working in my case
0

Is there some reason regular sanitisation approaches As described here will not work with MVC?

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.