I am using CKEditor/CKFinder as wysiwyg editor on my MVC.NET site.
I have set [ValidateInput(false)] and it works when debugging it locally, but I receive the following error when I have published the site:
A potentially dangerous Request.Form value was detected from the client (message="<p>
<em>Testing</e...").
can anyone explain why the published site is different from the locally site, especially when I have set [ValidateInput(false)]?
*Update:*I am using .Net 3.5 so shouldn't [ValidateInput(false)] work out the box?
Have you tried setting the htmlEncodeOutput property?
CKEDITOR.replace('editor1', {
htmlEncodeOutput: true });
This should encode the output and you should be able to avoid setting the requestValidationMode.
Documentation for it is here: ckEditor documentation
Add this to your web.config:
<httpRuntime requestValidationMode="2.0" />
Just add an Annotation to the Post method Action as [ValidateInput(false)]
[HttpPost]
[ValidateAntiForgeryToken]
[ValidateInput(false)]
public ActionResult Detail(ModelClass m)
{ return View(); }
ValidateRequest="false"
Add this in the particular Page.
Example:
Add ValidateRequest="false" to your Page:
<%# Page Language="C#" AutoEventWireup="false" Codebehind="MyForm.aspx.cs" Inherits="Proj.MyForm" ValidateRequest="false"%>
Or add to web.config if using .NET Framework 4.0 (Visual Studio 2010)
<httpRuntime requestValidationMode="2.0" />
Use Request.Unvalidated["myTextBox"]
for example,
var text = Request.Unvalidated["myTextBox"];
where "myTextBox" is the form field you want to allow HTML to be posted from.
Related
I am developing MVC application and am testing it now.
I am trying to insert <test> in the Database for address field. As it contains anguler brackets it's giving an error. For that I use the below code in controller.
[HttpPost]
public ActionResult Create(Employee employee)
{
if (ModelState.IsValid)
{
employee.Address.Replace("<", "<").Replace(">", ">");
db.Employees.Add(employee);
db.SaveChanges();
return RedirectToAction("Index");
}
ViewBag.ReportsToId = new SelectList(db.Employees, "Id", "FirstName", employee.ReportsToId);
return View(employee);
}
But cursor didn't come to this code. Where to write replace code?
Before cursor comes to that code, it's giving an error:
A potentially dangerous Request.Form value was detected from the client
(Address ="<test>").
Read this answer for similar question.
Conclusion: Use the [AllowHtml] attribute over the Address property or change the web.config to use requestValidationMode 2.0:
<configuration>
<system.web>
<httpRuntime requestValidationMode="2.0" />
</system.web>
<pages validateRequest="false">
</pages>
</configuration>
Change employee.Address.Replace("<", "<").Replace(">", ">"); to employee.Address = employee.Address.Replace("<", "<").Replace(">", ">");
This way it is taking the employee.Address string and replacing the < and > symbols then saving the string back to employee.Address.
Also it may need to be before the if (ModelState.IsValid) part.
There are two problems in your code that you have to solve.
First, as you pointed out, the error:
A potentially dangerous Request.Form value was detected from the client (Address ="<test>").
This error happens because, for the sake of security, MVC does not allow such string (your is like some html element) to be sent to your action method by default. That is to prevent the user submit some dangerous input to attach your site. For example, rather than , you could type alert('hahaha'), and if you does not encode that input, everyone access the page that contains this address field will get an alert box. And that is why you cannot get to the "Replace code" when debugging, the whole method just won't run because of this error.
That said, there are many options to solve this first error, but you can simply add a ValidateInput attribute to your action method.
[HttpPost]
[ValidateInput(false)]
public ActionResult Create(Employee employee)
By doing this, you are telling MVC to trust you that you will encode that dangerous input at some point. And you are doing that by the Replace code. That is pretty fine. But if you are just using #yourTable.Address to render the data in some view, you don't need to bother Replacing < and > in your action code. MVC Razor engine would do the encoding for you when you are rendering the data through #yourTable.Address syntax.
How do I disable this page validation entirely and for good in ASP.NET MVC 3?
I have looked through the error message and the other questions with the same title. None of the suggested solutions help:
I do have a
<httpRuntime requestValidationMode="2.0" />
in the <system.web> section in Web.config.
I also do have a validateRequest="false" attribute on the <pages>...</pages> element.
But I am still getting the error. What else can I try?
Add the following line of code:
GlobalFilters.Filters.Add(new ValidateInputAttribute(false));
to the Application_Start() method.
Add [AllowHtml] to the action, parameter, or property.
EDIT: If you want to allow it anywhere, add new ValidateInputAttribute(false)] to GlobalFilters.Filters.
How can I use the Html.TextAreaForwithout encoding it?
I know it's a security risk but I have a separate class that sanitizes any text.
Example:
#Html.TextAreaFor(model =>model.PostBodyText, 10, 100, 1)
I'm planning to use it with TinyMCE.
Regards
RaVen
UPDATE
I'm using the new Razor View Engine.
You will need to roll your own:
<textarea cols="100" id="PostBodyText" name="PostBodyText" rows="10">
#MvcHtmlString.Create(Model.PostBodyText)
</textarea>
Of course in terms of security this could be very dangerous as your site is now vulnerable to XSS attacks. So the question is why having a separate class that sanitizes all the text when you can simply rely on the HTML helpers to do the job for you?
As an alternative option you might wanna use ValidateInput as described here. An example in MVC style would be:
[ValidateInput(false)]
public ActionResult Method(){
return View()
}
[ValidateInput(false)]
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult Method(){
// your stuff here
RedirectToAction("index"); // or something
}
I think that is more the MVC way to go. Now your controller tells you there is a security issue in that controller method. Your view can be any normal view using html helpers etc. Note that this enables all sorts of input, not filtered. It will work with TinyMCE though.
//edit
woops I see you need to add
<httpRuntime requestValidationMode="2.0"/>
to webconfig as well in new versions of MVC. Guess it might not be the way to go.
Use [AllowHtml] on the model property. As I learned in In ASP.NET MVC 3, how do I get at the model using Razor Syntax in a Create() View?.
Has request validation changed for ASP.NET MVC 2, more precisely, not validating?
I did the following:
Web.configs (in App directory and Views directory)
<pages
validateRequest="false"
Controller/Action Attribute
[ValidateInput(false)]
In #Page View Directive
ValidateRequest="false"
The page still gets validated an exception is thrown when HTML content is posted.
UPDATE
Created a new ASP.NET MVC 2 Application and I modified the Home Controller's Index to this
[ValidateInput(false)]
public ActionResult Index(string InputText)
{
ViewData["Message"] = "Welcome to ASP.NET MVC!";
return View();
}
and my View Page
<% using(Html.BeginForm()){ %>
<%= Html.TextBox("InputText") %>
<input type="submit" />
<% } %>
And still the same issue, an exception is thrown.
I should read the error more carefully next time:
To allow pages to override application request validation settings,
set requestValidationMode="2.0" in the configuration section.
After setting this value, you can then disable request validation by
setting validateRequest="false"
I put this in the application's web.config
<system.web>
<httpRuntime requestValidationMode="2.0" requestPathInvalidCharacters="" />
</system.web>
and it worked.
Update:
I was running ASP.NET 4 thats why :P
Insert obligatory warning about XSS here.
That you decorated the controller (or action) with the ValidateInputAttribute should be enough, as all validation is done at this controller level in ASP.NET MVC
I have just tried this now on an action, and it returns a nice, evil alert() when I output it, so I'd venture a guess that there's something else going on here.
Do you have an HandleErrorAttribute set up anywhere?
I am using TinyMCE in asp.net mvc and getting the error message "a potentially dangerous Request.Form value was detected" when trying to save the text from the TinyMCE editor.
I set ValidateRequest="false" both in web.config and on the page. Any ideas?
Just add the ValidateInput attribute to your action and set it to false.
Like this.
[ValidateInput(false)]
public ActionResult Submit(string FormContent)
{
}
To get this working in ASP.NET MVC 2.0, I also had to add
<httpRuntime requestValidationMode="2.0" />
to the
<system.web>
section of my web.config file