The standard "Potentially dangerous request" is expected, resolve it with [ValidateInput(false)] or something more granular if you wish.
In my case, it happens when I make a call to FbApp.Session. I have a BaseController that all Controllers derive from. In there is an override OnActionExecuting call. Pretty common scenario.
Inside of OnActionExecuting, I use the Facebook C# SDK to manage my use membership. Using if (FbApp.Session != null) is how I check if the user is authenticated.
While running the debugger, it points to the call to FbApp.Session as the source of the exception stating "A potentially dangerous request...", due to HTML in one of the posted request vars - even though the actual action I'm posting to has [ValidateInput(false)] attribute.
What is going on inside the Facebook C# SDK that would cause this behavior? How can this be resolved?
Edit: looks like this could be a bug in ASP.NET MVC 3 RC2 (I haven't upgraded to full release yet). I'll upgrade and report my findings.
The answer is, make sure you're on ASP.NET MVC3 RTM, and have <httpRuntime requestValidationMode="2.0" /> in web.config.
Related
I found so much of answers in ASP.Net MVC with simple fix of including validateRequest tag in web.config Do I need to follow the same for .Net Core 6 as well (adding web.config) ? no reference are found for .Net 6. My exact problem:
http://.....com/aisv3/admin/'<'svg onload='abc'>
This invalid request leads to VAPT issue, that has to be redirected to my own error page instead of default error message. Please suggest.
Does anybody know why I am unable to turn request validation off. I currently have an ASP.NET MVC application that has been set up with Sitecore 8.1.
I have created an action method on a controller that I am using to import some data into the sitecore database (specifics out of scope for this question).
One of the fields I'm sending up contains HTML markup so I'm getting the following error message:
A potentially dangerous Request.Form value was detected from the client (mainContent="<p>Learning and Deve...")
For some unknown reason I can't turn this feature off.
I have tried the following:
Added AllowHtml to specific property of my Model.
Added pages element to web config with validateRequest="false"
Ensured httpRuntime element attribute requestValidationMode="2.0" is set
Yes I have confirmed the correct action method is being hit. If I remove the HTML markup from the POST then is succeeds.
I have added [ValidateInput(false)] to the Controller Action method.
A can't think where else to look. Any ideas anyone? Sorry I know this question has been posted before but I have tried everything.
i'm using n2cms + asp.net mvc,
when the site is uploaded to a webserver, and an exception is thrown in the aspx page, the page appear blank, and there is nothing in the page, even if i turned off the CustomErrors in web.config
but when the site is running on my computer visual studio simply show me the exception,
is there a way to catch the exception in this situation?
This may be due to your hosting configuration. You could take a look at ELMAH for an easy way of logging exceptions.
You can handle all global errors in your Global.asax's method called Application_Error - http://msdn.microsoft.com/en-us/library/24395wz3.aspx . It will work for simple cases. But I strongly recommend to use ELMAH
N2CMS makes calls to SwallowExceptions(). This is why you are receiving a blank page instead of an exception. You could look for that method call and comment it.
I have recently upgraded a project of mine from one of the beta builds of MVC to the full version.
I am getting the yellow screen of death on one of my inputs "A potentially dangerous Request.Form yada yada".
So I tried edting the pages validateRequest attribute, that didnt work.
Then I tried adding
[ValidateInput(false)]
To the offending action, but when I try and build it says the attribute doesn't exist.
So what do I do?
Incidentally, a breaking change in MVC 2 / ASP.NET 4 means [ValidateInput(false)] won't work unless you add the following to the <system.web> part of your web.config file:
<httpRuntime requestValidationMode="2.0" />
It works at my site.
Can you try with a new plain website? I had some other strange behaviours (strongly typed views did not work), when I converted webs from beta to R1. Starting fresh and copying over the files to the new web always worked at the end.
Unfortunately, I need to do this. I'm using ELMAH for my error log. Before I route to my error.aspx view, I have to grab the default ELMAH error log so I can log the exception. You used to be able to use
Elmah.ErrorLog.Default
However, this is now marked as obsolete. The compiler directs me to use the method
Elmah.ErrorLog.GetDefault(HttpContext context)
MVC's context is of type HttpContextBase, which enables us to mock it (YAY!). How can we deal with MVC-unaware libraries that require the old style HttpContext?
Try System.Web.HttpContext.Current. It should do the trick.
Gets HTTP-specific information about an individual HTTP request.
MSDN
this.HttpContext.ApplicationInstance.Context