All geek questions in one place

Potentially dangerous request, hide the error

I am trying to verify the security of my MVC application. When I try to enter html or javascript, it gives an error: a potentially dangerous request.

Server Error in '/' Application.
A potentially dangerous Request.Form value was detected from the client (TEKST="<html><b>joo</b></ht...").
Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. To allow pages to override application request validation settings, set the requestValidationMode attribute in the httpRuntime configuration section to requestValidationMode="2.0". Example: <httpRuntime requestValidationMode="2.0" />. After setting this value, you can then disable request validation by setting validateRequest="false" in the Page directive or in the <pages> configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. For more information, see http://go.microsoft.com/fwlink/?LinkId=153133.

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (TEKST="<html><b>joo</b></ht...").

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

It looks good, it is impossible to embed HTML or JavaScript. But what I don't like, users will see my version of ASP.net and all that.

How to remove this error and give only a message with: I do not like your input or anything else.

I tried to do this, but this does not work:

[Authorize]
public ActionResult Create(int album_id)
{
    ViewBag.album_id = album_id;
    return View();
}

[Authorize]
[HttpPost]
public ActionResult Create(REVIEW model)
{
    string txt = null;
    try
    {
        txt = model.TEKST;
    }
    catch (System.Web.HttpRequestValidationException)
    {
        txt = "errorrr";
    }


    return RedirectToAction("Add", new { tekst = txt, album_id=model.ALBUM_ID});
}

SOLUTION: See Nudier Answer

+3
source share
1 answer

you can handle errors in your application as follows

1. CustomErros Web.Config

, mode.

RemoteOnly: . (, ). .

.. . , .

.. , . .

     <System.Web>
      //map all the erros presented in the application to the error.aspx webpage
     <customErrors mode="RemoteOnly" defaultRedirect ="~/error.aspx" />
    <System.Web>

2. Global.asax Application_Error

     //handle all the errors presented in the application
      void Application_Error(object sender, EventArgs e){  
     Server.Tranfer("error.aspx");
    }

, .

+4

Source: https://habr.com/ru/post/1765702/

More articles:


All Articles