I added:
<pages validateRequest="false">
to my web.config but I am still getting the error:
A potentially dangerous Request.Form value was detected from the
I added it to the view page also and still getting the error.
How can this be?
In MVC, request validation has to be done at the controller level instead of at the page level because the controller is processing input, not the page. If request validation were done at the page level, then the controller would happily process malicious input (and potentially commit it to the database!) before the validation check ever took place.
[ValidateInput(false)]
Related
I have a project where Struts2 provides the MVC layer and FreeMarker templates are used update the web pages. Some of the FreeMarker templates returns partial views - for example addNewRow.ftl which returns a table row.
Actions are validated and error messages are added to web page using addActionError method.
In the cases where the web page only receives a partial view, the validation messages aren't getting displayed since the error info is missing from the page.
How can you retrieve and show validation errors occurred in the operation in this case?
Just beacuse you elect to redraw a portion of your UI based on a user operation doesn't not mean that is where all that information must be presented. With the use of jQuery, you could easily take error information and insert it into any existing DOM node on the page, even those that aren't part of the portion of the page you just rendered.
Another solution is to redraw a larger portion of your UI instead that would include the error display container and simply serialize the action messages out during the redraw.
Or you could look at your redraw callback and see whether it can be split into multiple invocations that could each handle their portion of the page redraw independently, e.g: add your table row and render error messages.
So, I have a really simple web application I'm making that accomplishes all it's functionality on one page; I don't want any other pages exposed to the user. Yet at the same time, I'd like to take advantage of as much of Grails' built in functionality as possible, including the built in error handling.
I have fields in my domain classes with various constraints on them, i.e. unique: true, blank: false, etc. The error catching works brilliantly like this, and I would like to keep taking advantage of it.
However when one of these errors is thrown, it redirects to the "create" page, and displays flash.message there. What I would like is to redirect back to my index, and show flash.message there.
Is there a place to change this behavior, or will I have to write custom error handling into my controller?
You can also define general error pages for different error types in UrlMappings.groovy eg:
"500"(view: "myErrorView")
"404"(view: "my404View")
You can then throw and log exceptions in your controllers which will then redirect to the 500 error page.
I'm testing my MVC3 web app for XSS attacks and I'm noticing a weird behavior with the default ValidateRequest in .Net
I have a form with a few text fields and when I enter a 'dangerous' string such as:
<img src=x onerror=alert(/XSS/.source)>
I see the "A potentially dangerous Request.Form was detected..." message pop up as expected.
My understanding is that this validation will automatically cancel the request and no changes will take place. However, when I refresh the page, I'm seeing that the text field in question now displays a value of 'ED7F9'
Something similar occurs if I try to save a value of <script>alert("hi")</script>. In this case, after the validation message, the remaining text in the field is: "alert("
Has anyone seen this before of have any clues as to why this is happening?
I've started using AntiForgeryToken in some of my forms to prevent cross site request forgery. However I am getting some weird behaviour and just wanted to clarify whether this is a bug or just me doing something wrong. I am using the Html.AntiForgeryToken() call in my form. I then use the [ValidateAntiForgeryToken] attribute in the action method that the form posts to. I'm not using a salt at this point.
My understanding is that Html.AntiForgeryToken() generates a hidden input with a name of __RequestVerificationToken and a cookie named __RequestVerificationToken_Lw__, which should both contain the same value.
The behaviour I am experiencing however is that:
The cookie always has the same value no matter how many times you
GET the page
The hidden input has a different value every time you GET the page
The ValidateAntiForgeryToken validates every time, even from a
different site in a CSRF scenario.
If I change the value of the hidden input in the foreign site, the
token doesn't validate (expected behaviour, but why does it validate
when the hidden input/cookie value is different?)
Anyone got any ideas?
For number 3, are you including the hidden field in your CSRF scenario?
The safety of the AntiForgeryToken is that the hidden input exists only in the page served by your domain, and cannot be copied or captured by another domain. If you have mocked up a test which passes the hidden input, then that is not a valid test.
I suggest you read this article from Phil Haack: Anatomy of a Cross-site Request Forgery Attack
I am trying to trace through why my ASP.NET MVC 2 validation isn't working, but I cant find enough about HOW it works to be able to do this.
I have followed the steps in this useful article by David Hayden which seems to be the best documentation currently out there, but nothing actually happens.
I get validation when i submit to the server (as I did since Preview 1 when i added data annotations to my model) but I'm not getting any client side validation.
How can i trace through to test? So far I have verified the following obvious things
MicrosoftMvcJQueryValidation.js and jquery.validate.min.js files are being downloaded
Html.ClientValidationEnabled = true
I cant see easily what is hooking up to which events to know quite how to debug it.
Here's what I've learnt:
MOST IMPORTANT
Your HTML Form must be created with the using directive, not just BeginForm and EndForm.
You must set Html.ClientValidationEnabled = true BEFORE you start your 'Form'
You must use Html.ValidationMessage for each field
You must set Html.ClientValidationEnabled = true on each partial control (ascx)
HOW IT WORKS (very simple overview)
When you do Html.BeginForm it creates a 'FormContext' in the ViewContext
When ValidationMessage helpers are used, metadata is put into the form context
When the form is disposed (by the using statement) it writes out all the validation code
MISC
I cannot seem to get validation working when I have a partial control, if that control uses a different model from the view that defines the Form.
You do NOT need to use Html.TextBoxFor or Html.ValidationMessageFor, you can use Html.TextBox and Html.ValidationMessage
In order for a field to be validated client-side you have to specify a call to Html.ValidationMessage/Html.ValidationMessageFor<> for the field (just like David did in the tutorial you linked) within the view. This is essentially a trigger to the client-side validation logic that you want to run validation for that field.
If there are situations where you don't actually want a validation message to visually appear for each field (i.e. by using Html.ValidationMessage), but would rather allow a summary to be the sole source of validation error messages (i.e. by using Html.ValidationSummary), you still need some way to "trigger" the validation to occur for the specific fields you want it to. This can be achieved by using the Html.Validate/Html.ValidateFor<> methods within your view. Those helpers won't render anything, but will simply register the specified field for client-side validation.
Both of those requirements exist since you might not want the client-side validation to automatically validate every property on your model object, since some of them might not even be part of the form that you're wanting validated.