Does anybody know why I am unable to turn request validation off. I currently have an ASP.NET MVC application that has been set up with Sitecore 8.1.
I have created an action method on a controller that I am using to import some data into the sitecore database (specifics out of scope for this question).
One of the fields I'm sending up contains HTML markup so I'm getting the following error message:
A potentially dangerous Request.Form value was detected from the client (mainContent="<p>Learning and Deve...")
For some unknown reason I can't turn this feature off.
I have tried the following:
Added AllowHtml to specific property of my Model.
Added pages element to web config with validateRequest="false"
Ensured httpRuntime element attribute requestValidationMode="2.0" is set
Yes I have confirmed the correct action method is being hit. If I remove the HTML markup from the POST then is succeeds.
I have added [ValidateInput(false)] to the Controller Action method.
A can't think where else to look. Any ideas anyone? Sorry I know this question has been posted before but I have tried everything.
Related
When I browse to my startpage, e.g. /sv I get a blank page that just says "Default Page". However when I try /sv/ it works. Subpages like /sv/example work without slash though. I'm using Sitecore 7.1 with only MVC views.
Remove the default.aspx file from the web root.
That will fix your problem.
When requesting URLs without a slash at the end, the "StripLanguage" processor of the preprocessRequest pipeline rewrites path to the value of the Settings.DefaultPageName setting ("default.aspx" by default). Since such page physically exists on your site, ASP.NET MVC routing system does not handle such request, and the file itself is served. This behavior is controlled over the RouteCollection.RouteExistingFiles property (false by default), please refer to the following article for the details:
http://msdn.microsoft.com/en-us/library/system.web.routing.routecollection.routeexistingfiles.aspx.
In other case, when a slash is added after a language, this won't happen, since the "StripLanguage" processor does not rewrite the path (which is also not an expected behavior). As a result, request URL does not match the "default.aspx" static file in the site and request is getting processed by ASP.NET MVC.
I suggest you to add the following setting to the "Web.config" file (instead of creating a "default.aspx" page), which points to the "default" page without extension:
<settings>
<setting name="DefaultAspxPageName" value="default"/>
</settings>
After that, the /default URL, without ".aspx" extension, will be processed by MVC and the appropriate item will be rendered independently of a slash after the language URL section.
On my side it works.
I want to point out that the answer to this is not my own but given from the support over at Sitecore who I want to extend a big "Thank you!" to. I had googled this forever until they helped me and I thought that I want to have this document and easily found when others struggle with it. A bug is filed and they are working on fixing it.
DefaultAspxPageName is Hidden Setting.. We can find more such hidden settings..#
http://www.newguid.net/sitecore/2014/sitecore-hidden-string-configuration-settings/
I'm a total beginner so sorry in advance.
I used VS13 to build a MVC project and published it to my webspace. Now I'm unsure which file or path I need to specify in my forwarding config in order to open the website.
I tried
/Views/Shared
to get _Layout.cshtml and
/Views/Home
to get Index.cshtml but none of these are working. I also changed some admissions but it always shows me this
Forbidden - You don't have permission to access / on this server.
when I'm trying to open the website.
Any ideas on what I'm doing wrong?
With MVC You don't access views like traditional ASP.NET WebForms i.e. /path/to/view.aspx. Everything is handled via routing & controllers.
By default you will have a HomeController which will have an Index action which is invoked via a GET request. Assuming you haven't changed any of the default routing configuration you would just need to navigate to www.domainname.com/home to see your Index page.
The default routing configuration looks like /controller/action/parameters, MVC will always work this way unless you tell it different. If you don't pass a specific action (like I didn't with the home url) the Index action of the controller is assumed.
The standard "Potentially dangerous request" is expected, resolve it with [ValidateInput(false)] or something more granular if you wish.
In my case, it happens when I make a call to FbApp.Session. I have a BaseController that all Controllers derive from. In there is an override OnActionExecuting call. Pretty common scenario.
Inside of OnActionExecuting, I use the Facebook C# SDK to manage my use membership. Using if (FbApp.Session != null) is how I check if the user is authenticated.
While running the debugger, it points to the call to FbApp.Session as the source of the exception stating "A potentially dangerous request...", due to HTML in one of the posted request vars - even though the actual action I'm posting to has [ValidateInput(false)] attribute.
What is going on inside the Facebook C# SDK that would cause this behavior? How can this be resolved?
Edit: looks like this could be a bug in ASP.NET MVC 3 RC2 (I haven't upgraded to full release yet). I'll upgrade and report my findings.
The answer is, make sure you're on ASP.NET MVC3 RTM, and have <httpRuntime requestValidationMode="2.0" /> in web.config.
I have implemented Elmah in one of my ASP.NET MVC projects. In addition I did the following:
I implemented the ElmahHandleErrorAttribute written by Atif Aziz in this post
I added the attribute to all my controllers
I have setup Elmah to filter out 404 errors since I do not want to log those
I added an Error.aspx view in the Shared folder that I wish to use for all my errors.
My customErrors in the Web.Config are turned on and I have not specifed any error pages in it as I shouldn't have to.
In one of my controllers I have the following code:
if (model == null)
throw new HttpException((int)HttpStatusCode.NotFound, "Project not found");
I simply want to display a 404 if a record can not be found in the database. For some reason my Error.aspx page will not display for a 404 error. Instead it displays the generic asp.net "the resource can not be found" page. I have tried to remove the 404 filter setup in Elmah but that does not change anything.
The interesting part is if I change the error from NotFound to say InternalServerError the Error.aspx page shows up just fine.
Does anyone have any pointers as to why this is?
I have not used Elmah beyond creating a sample app - but maybe because a 404 is not application error? If my understanding is correct, a 404 error gets pushed back to IIS which in turn displays the error message you are seeing. Also, I believe that the web.coin
If i understand correctly, you may want to amend your approach and build use this instead or set the Response.StatusCode to 404 (Check out Jeff's answer in the linked question)
I have recently upgraded a project of mine from one of the beta builds of MVC to the full version.
I am getting the yellow screen of death on one of my inputs "A potentially dangerous Request.Form yada yada".
So I tried edting the pages validateRequest attribute, that didnt work.
Then I tried adding
[ValidateInput(false)]
To the offending action, but when I try and build it says the attribute doesn't exist.
So what do I do?
Incidentally, a breaking change in MVC 2 / ASP.NET 4 means [ValidateInput(false)] won't work unless you add the following to the <system.web> part of your web.config file:
<httpRuntime requestValidationMode="2.0" />
It works at my site.
Can you try with a new plain website? I had some other strange behaviours (strongly typed views did not work), when I converted webs from beta to R1. Starting fresh and copying over the files to the new web always worked at the end.