All geek questions in one place

ASP.NET request validation exception even when disabling validation

I am using ASP.NET MVC 2, .NET 4.0.

I have a controller that disables request validation:

[AcceptVerbs("POST")]
[ValidateInput(false)]
public ActionResult Add(string userId, FormCollection formValues)
{
    //...
}

and I still get the HttpRequestValidationException when the POST contains HTML:

System.Web.HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (ThisWeek = "").
   at System.Web.HttpRequest.ValidateString (String value, String collectionKey, RequestValidationSource requestCollection)
   at System.Web.HttpRequest.ValidateNameValueCollection (NameValueCollection nvc, RequestValidationSource requestCollection)
   at System.Web.HttpRequest.get_Form ()
   at System.Web.Mvc.HttpRequestExtensions.GetHttpMethodOverride (HttpRequestBase request)
   at System.Web.Mvc.AcceptVerbsAttribute.IsValidForRequest (ControllerContext controllerContext, MethodInfo methodInfo)
   at System.Linq.Enumerable.All [TSource] (IEnumerable`1 source, Func`2 predicate)
   at System.Web.Mvc.ActionMethodSelector.RunSelectionFilters (ControllerContext controllerContext, List`1 methodInfos)
   at System.Web.Mvc.ReflectedControllerDescriptor.FindAction (ControllerContext controllerContext, String actionName)
   at System.Web.Mvc.ControllerActionInvoker.FindAction (ControllerContext controllerContext, ControllerDescriptor controllerDescriptor, String actionName)
   at System.Web.Mvc.ControllerActionInvoker.InvokeAction (ControllerContext controllerContext, String actionName)
   at System.Web.Mvc.Controller.ExecuteCore ()
   at System.Web.Mvc.MvcHandler.c__DisplayClass8.b__4 ()
   at System.Web.Mvc.Async.AsyncResultWrapper.c__DisplayClass1.b__0 ()
   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute ()
   at System.Web.HttpApplication.ExecuteStep (IExecutionStep step, Boolean & completedSynchronously)

I need to allow HTML text in the input file here, since the application is an error tracking system and people talk about HTML in their error messages. I correctly process the input of this action and correctly encode things as they are being re-outputted, so it’s prudent to disable validation for this action.

MVC2 .NET 4, . , HTTP ( POST PUT DELETE, ). , , .

, ?

+3
2

system.web web.config:

<httpRuntime requestValidationMode="2.0" />
+4

. NET4 . .NET2 web.config :

<system.web>
  <httpRuntime requestValidationMode="2.0"/>
</system.web>
+4

Source: https://habr.com/ru/post/1760563/

More articles:


All Articles