We realize that a Cross Site Scripting (CSS) attack is extremely basic and is an extraordinary attack for web applications. On the off chance that you are new to CSS attacks then the following article is for you.

A CSS attack is fundamentally the consequence of poor form validation, or the info script may infuse from a query string however the shots of that are less contrasted with structure acceptance. How do CSS attacks work? From the start the programmer input some HTML code into a HTML input field and the information alongside the HTML tag is spared to the database on the off chance that we didn't check the HTML data string.

Presently, when there is a need to show the information in a user interface then we will get it from the database and a honest to goodness program will parse it as HTML code. In the event that the programmer then input an ordinary HTML string then there is no issue whatsoever. At the same time it doesn't happen by and large. They may inject harmful Javascript code from an information field that may steel important data from the client's computer.

Alright, so this is about the CSS attack. What's more I am certain that you never need to permit a user to inject a HTML component through a form.

In customary Web Form applications, we utilize a form validation script(as a part of Javascript all the time) to approve user's data. At the same time the MVC library has done the job for us, we require not to accept or compose long code remotely.

Here we will perceive how to keep a CSS attack utilizing the Validateinput attribute. First, develop 1 simple model as in the following code:
public class person
{
   public string personDescription { get; set; }
}

For simplicity we have added only one attribute in the model class. Now  I will implement the controller to render the view. Let’s write the following code:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Mvc;
using MVC_5.Models;
namespace MVC_5.Controllers
{
    public class personController : Controller
    {
        public ActionResult Index()
        {
            return View();
        }
        public void GetPerson(person p)
        {
        }
    }
}

This is the basic individual controller and it will throw the view when the Index() activity is called. Furthermore in the structure accommodation it will call the Getperson() action. Fine, how about we execute the view to get the form data
@model MVC_5.Models.person
@{
    Layout = null;
}
<!DOCTYPE html>
<html>
<head>
    <meta name="viewport" content="width=device-width" />
    <title>Index</title>
</head>
<body>
    <div>
        @{
            using (Html.BeginForm("GetPerson", "person"))
            {
                <input type="text" name="personDescription" /> <br />
                <input type="submit" value="Submit Form" />
            }
         } 
    </div>
</body>
</html>

And here is the Output :

 

We are putting in a HTML component alongside data. Furthermore once we click on the submit catch we will see the following picture:

Along these lines, in MVC, of course it keeps the HTML component as form data, at any rate we can utilize the Validateinput attribute to prevent HTML explicitly in this way.
public class personController : Controller
{
    public ActionResult Index()
    {
        return View();
    }
    [ValidateInput(true)]
    public void GetPerson(person p)
    {
    }
}


Or we can use the ValidateInput() attribute over the controller.
[ValidateInput(true)]
public class personController : Controller
{
}


If you want to allow a HTML element through form input, we can just set the true parameter to false. Then it will allow acceptance of a HTML element as input. Or
We can use the AllowHtml() attribute of the model property. On the below code, is to allow a HTML element to a certain property only.
public class person
{
    [AllowHtml]
    public string personDescription { get; set; }

}