locked
A potentially dangerous request... RRS feed

  • Question

  • User-1244695925 posted

    This cropped up for me after upgrading to RC. I get the following error when trying to submit a form that has a textarea converted to a WYSIWYG edit with TinyMCE.

     "Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the <pages>configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. "</pages>

    In my web.config (both in root and view folders) <pages validateRequest="false" is set. I put validaterequest="false" in the view (even though it wouldn't have even been called at the point it's failing). I even put ValidateRequest = false; in the action that is being called after the form is submitted.

    Nothing works, the form simply fails because asp.net detects the potentially dangerous input (I want it to go through, I've built some methods to strip out things I don't want to show up). Any ideas why this would suddenly crop up? And why my attempts to turn of request validation have failed?

    TIA!

    Thursday, January 29, 2009 8:52 AM

Answers

  • User-109060882 posted

    Hi Chad,

    To allow requests to your action (or controller) that may contain dangerous characters such as "<" you need to apply the ValidateInput action filter to either your controller or better yet to the specific action:

    [ValidateInput(false)]
    public ActionResult Index(string dangerousInput) {
        return View();
    }

    Setting validateRequest in web.config doesn't have the right effect on view pages since view pages run way, way after the input has been processed. That's why in MVC we have an MVC-specific way of performing request validation.

    Also, setting ValidateRequest in the action itself is also too late because we've already detected the dangerous data and stopped processing. You could instead override I believe the OnAuthorizing method in your controller and set ValidateRequest = false in there. That's essentially what the attribute I showed does.

    Thanks,

    Eilon

     

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, January 29, 2009 12:21 PM
  • User-1660457439 posted

    The Beta Microsoft.Web.Mvc assembly cannot be used with the RC System.Web.Mvc assembly.  Please download the RC Microsoft.Web.Mvc assembly from http://www.codeplex.com/aspnet/Release/ProjectReleases.aspx?ReleaseId=22359.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, February 11, 2009 2:14 PM

All replies

  • User-109060882 posted

    Hi Chad,

    To allow requests to your action (or controller) that may contain dangerous characters such as "<" you need to apply the ValidateInput action filter to either your controller or better yet to the specific action:

    [ValidateInput(false)]
    public ActionResult Index(string dangerousInput) {
        return View();
    }

    Setting validateRequest in web.config doesn't have the right effect on view pages since view pages run way, way after the input has been processed. That's why in MVC we have an MVC-specific way of performing request validation.

    Also, setting ValidateRequest in the action itself is also too late because we've already detected the dangerous data and stopped processing. You could instead override I believe the OnAuthorizing method in your controller and set ValidateRequest = false in there. That's essentially what the attribute I showed does.

    Thanks,

    Eilon

     

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, January 29, 2009 12:21 PM
  • User2100276904 posted

     Eilon,

     I didn't post the original question, but stumbled upon the same issue. Your answer solved that perfectly.

    Thanks!
    v

    Thursday, January 29, 2009 3:17 PM
  • User-1244695925 posted

     I haven't had a chance to update my code yet, but I didn't know about that action filter. I have no doubts that will fix my issue. In fact, I believe this is a better way than I was attempting anyway... as it's very granular down to the specific action I want to allow the html to pass for.

    Thank you very much.

     

    Thursday, January 29, 2009 8:16 PM
  • User-594064784 posted

    Hi Chad,

    To allow requests to your action (or controller) that may contain dangerous characters such as "<" you need to apply the ValidateInput action filter to either your controller or better yet to the specific action:

    [ValidateInput(false)]
    public ActionResult Index(string dangerousInput) {
        return View();
    }

    My serious problem with RC is that Visual Studio 2008 and compiler can't find where ValidateInputAttribute is. It tires to get it from Microsoft.Web.Mvc and that attribute accepts no parameter. So after adding the filter, I can't even compile Ughhhh. Please help!!

    Wednesday, February 11, 2009 10:14 AM
  • User-1660457439 posted

    The Beta Microsoft.Web.Mvc assembly cannot be used with the RC System.Web.Mvc assembly.  Please download the RC Microsoft.Web.Mvc assembly from http://www.codeplex.com/aspnet/Release/ProjectReleases.aspx?ReleaseId=22359.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, February 11, 2009 2:14 PM
  • User-241823321 posted

    Looks like ValidateInput does not works for me...

    I'm using RC1 (and uninstalled previous version), the attribute is recognized in my code, but nothing to do : whenever i put a HTML tag in a textarea or input 'text', I got the HttpRequestValidationException.

    Am I missing something ?? I spent 2 hours googling a solution and it seems the ValidateInput attribute works for everybody, how boring...

    [AcceptVerbs(HttpVerbs.Post)]
    [ValidateInput(false)]
    public ActionResult EmailTemplateUpdate(int idTemplate, int idLanguage, string subject, string name, string bodyHtml, string bodyText)
    {
       // the string containing HTML is the 'bodyHTML' parameter
       // whatever ...
    }
    
      
    Monday, March 2, 2009 8:02 AM
  • User-1660457439 posted

    The page that you're rendering might have request validation enabled explicitly in the <%@ Page %> directive, or request validation isn't disabled in Web.config.  (If you create a new MVC app using RC1, take a look at the Web.config files that it generates to see the code we use to disable request validation at the page level.)

    Tuesday, March 3, 2009 4:51 AM
  • User1659290620 posted

    Do you use RenderAction when rendering the view after the action?

    If so, put the ValidateInput(false) attribute on those actions too (as Request.Form still holds "potentially dangerous" data).

    Wednesday, March 4, 2009 9:20 AM
  • User-241823321 posted

    The hell with...

    I retried today and it worked. I tried for 2 hours the other day and I always had the same message no matter what I do.

    I wonder if there is a cache somewere that retained validation information... Next time I meet that sort of problem I'll restart my computer ;)

    Thanks for your help !

    Thursday, March 5, 2009 7:19 AM