All geek questions in one place

Processing "potentially dangerous Request.Form value was detected by the client"

I am trying to figure out how to deal with this error.

The potentially dangerous Request.Form value was detected by the client

The error occurs when the user enters html or xml ( <p>or <HeyImXML>) tags and tries to submit the form. The input should not contain any markup at all, just text.

I am using model binding verification in ASP.NET MVC 2.0 along with Html.EnableClientValidation. This works fine until markup is entered.

What is the best way to avoid this error message?

My guess is to write a new validation class that validates this kind of markup?

I want to catch an error in this particular instance. To clarify, there is an area with a form for siteadmins that can enter markup, and there is a normal users area where they cannot enter markup. However, this error page appears when regular users enter the markup. My question is: how do I do this to prevent the site from crashing and showing the error page. I want to show a cleaner error.

+3
source share
2 answers

It was submitted early in ASP.Net to try to prevent script attacks. It is not unique to MVC.

, .

, validateRequest false:

<%@ Page validateRequest="false" %>

, Web.config - validateRequest <pages /> false:

<configuration> 
    <system.web> 
        <pages validateRequest="false" /> 
    </system.web> 
</configuration>
0

MVC html injection (XSS). " Request.Form (...)" html/javascript.

html. , " > ", , ,

,

.. MVC, .

[ValidateInput(false)] . .

[AllowHtml] , html .

html/javascript GET IN , MVC , html-. html, @Html.Raw(@Model.Content).. , ( XSS)!

-

.

1. CustomErros Web.Config

, mode.

RemoteOnly: . (, ). .

.. . , .

.. . .

 <System.Web>
  //map all the erros presented in the application to the error.aspx webpage
 <customErrors mode="RemoteOnly" defaultRedirect ="~/error.aspx" />
<System.Web>

2. Global.asax Application_Error

 //handle all the errors presented in the application
  void Application_Error(object sender, EventArgs e){  
 Server.Tranfer("error.aspx");
}

, .

fooobar.com/questions/1765702/...

0

Source: https://habr.com/ru/post/1765699/

More articles:


All Articles