All geek questions in one place

A potentially dangerous request.form value was found, but validateinput (false) does not work

I installed VS2010 and MVC2 and verified a simple form using tinyMCE. When I send the contents of a text field to tinyMCE, I get a scary YSD and a message

"potentially dangerous ....."

I have seen this before, so I put ValidateInput(false) on the controller, but without joy - I still get the error.

The page code in edit.aspx is:

  <% using (Html.BeginForm()){ %> <!-- Gets replaced with TinyMCE, remember HTML in a textarea should be encoded --> <textarea id="elm1" name="mceText" rows="15" cols="80" style="width: 80%"> &lt;p&gt; This is some example text that you can edit inside the &lt;strong&gt; TinyMCE editor&lt;/strong&gt;. </textarea> <br /> <input type="submit" name="save" value="Submit" /> <input type="reset" name="reset" value="Reset" /> <%} %>

and controller action:

  [AcceptVerbs(HttpVerbs.Post)] [ValidateInput(false)] public ActionResult Edit(string mceText) { return View(); }

Any thoughts - (I know the code is not complete) tried this for hours, but everyone just says they use ValidateInput (false)

+4
source share
4 answers

Here's why: http://www.asp.net/learn/whitepapers/aspnet4/breaking-changes#0.1__Toc256770147

ASP.NET request validation provides a certain level of protection by default against cross-site scripting (XSS) attacks. In previous versions of ASP.NET, query validation was enabled by default. However, it applies only to ASP.NET pages (.aspx files and their class files) and only when these pages are executed.

In ASP.NET 4, by default, request validation is enabled for all requests because it is enabled before the BeginRequest HTTP request stage. As a result, request validation is applied to requests for all ASP.NET resources, and not just requests from an .aspx page. This includes requests such as web service calls and custom HTTP handlers. An authentication request is also active when HTTP user modules read the contents of an HTTP request.

As a result, query validation errors may now occur for queries that previously did not cause errors. To return to the behavior of the ASP.NET 2.0 request validation function, add the following setting in the Web.config file:

 <httpRuntime requestValidationMode="2.0" />

However, we recommend that you analyze any request validation errors to determine if existing handlers, modules, or other user code exist to access potentially dangerous HTTP inputs, which could be XSS attack vectors.

+5
source

A better solution might be to use the tinymce encoding option:

http://www.tinymce.com/wiki.php/Configuration:encoding

 tinyMCE.init({ ... encoding : "xml" });

then use HttpUtility.HtmlDecode to decode it as needed.

See here http://blog.tentaclesoftware.com/archive/2010/07/22/96.aspx

+5
source

Found.

need to add <httpRuntime requestValidationMode="2.0"/>

in web.config

+3
source

Immediately: encoding: single quotes of "xml" are encoded in: & # 39, but ASP.NET checks this as a security vulnerability, we must replace all & # 39 with html & amp:

 tinyMCE.init({ // ... encoding: "xml", setup: function (ed) { ed.onSaveContent.add(function (ed, o) { o.content = o.content.replace(/&#39/g, "&apos"); }); } });

Thanks Eddie.

+3
source

Source: https://habr.com/ru/post/1304522/

More articles:


All Articles