8

I have an application use Asp.Net 4.61 in which I read html from a database field Description and use it to populate my a page in my application. I do this by marking the property Description with [AllowHtml].

In my Asp.Net Core 2.0 app, I get an error that the assembly reference or directive is not found.

I have 2 questions - that will hopefully enable me to better answer questions such as this in the future:

  1. Is there a document/site that I could search to see if AllowHtml is in Core 2.0
  2. Is there a better/more secure way that I should use if I want to populate web pages by reading from my database than decorating the field/property with [AllowHtml]?
Roddy Balkan
  • 1,559
  • 4
  • 15
  • 22

1 Answers1

14

You don't need [AllowHtml] anymore, because nobody denies HTML in ASP.NET Core 2.0:

Don't need [AllowHtml] or RequestValidationEnabled because we don't have request validation in this system

Instead, encode the output and Prevent Cross-Site Scripting

Dmitry
  • 16,110
  • 4
  • 61
  • 73
  • Home come this is not needed anymore yet HTML data is sanitized in POST request. In other words there's data loss in POST parameter when it has HTML/CSS markup. I'm still trying to figure this out [here](https://stackoverflow.com/questions/59483284/passing-raw-html-from-view-to-controller-xss-safe-no-information-loss). – om-ha Dec 26 '19 at 02:40