In ASP.NET web forms, anytime an element within the form post contains an HTML tag (such as a <div> or any other tag), the input that’s posted back to the server is validated, and an exception thrown, if that post contains any HTML tags within it.  This is request validation, and in web forms it can be enabled or disabled by setting the ValidateRequest property.  When turned off, the validation of data is blocked for the entire request; it is a feature that can’t be selective (in that you have to turn it on or off for the entire page, and doesn’t block individual controls only).  MVC has this capability too; take the following view:

<% Html.BeginForm(); %>

 Name: <%= Html.TextArea(“Name”) %>

 Html: <%= Html.TextArea(“Html”) %>

<input type=”submit” value=”Save” />

<% Html.EndForm(); %>

 if, in any of the two text areas, there are html tags within the posted data, an exception would be thrown in web forms, and can be thrown in MVC too.  To set this up, we use the ValidateInputAttribute at the class or method level, like the following:

[HttpPost, ValidateInput]
public ActionResult Validation(FormCollection values)
 ViewData[“IsValid”] = ModelState.IsValid;

 return View();

Because of the attribute declarion, the input will be validated on posting the form data.  An error will occur and this action won’t be invoked because of the invalid input, preventing any malicious attack against the application.  See more of the documentation at: