开发者

"potentially dangerous Request.Form value"

问答 作者:

I am getting the error

A potentially dangerous Request.Form value was detected from the client

when I deploy my application (the error does not happen when I run via localhost).

It occurs when submitting a form, because one of the fields contains HTML. I have added [AllowHtml] around the property in the model that corresponds to the offending form-field, but this does not seem to work.

I would rather not use [ValidateInput(false)] on the action method for obvious reasons, and at any rate, that doesn't seem to work either.

Is there any other configuration I need to be doing? I have read that adding 

<httpRuntime requestVali开发者_运维知识库dationMode="2.0"/>

to the web config file could fix it, but again I don't want to add that because I still want secure validation for other parts of my application.

Any ideas?

[AllowHtml] requires you to add <httpRuntime requestValidationMode="2.0"/> (setting this value doesn't mean that you don't get secure validation, it's just the validation mode). Other parts of the site will be secure, you are disabling validation only for the particular property on your view model.

[ValidateInput(false)] will work but as you said it might be less secure as it disables validation for all properties.

I would stick with [AllowHtml].

UPDATE:

Both [AllowHtml] and [ValidateInput(false)] work out of the box in ASP.NET MVC 3 without the requirement of adding <httpRuntime requestValidationMode="2.0"/> in web.config. This was necessary in ASP.NET MVC 2 running under ASP.NET 4.0

Here's an example:

View model:

public class MyViewModel
{
    [AllowHtml]
    public string Text { get; set; }
}

Controller:

public class HomeController : Controller
{
    public ActionResult Index()
    {
        var model = new MyViewModel
        {
            Text = "<html/>"
        };

        return View(model);
    }

    [HttpPost]
    public ActionResult Index(MyViewModel model)
    {
        return View(model);
    }
}

View:

@model MyViewModel
@using (Html.BeginForm())
{
    @Html.TextAreaFor(x => x.Text)
    <input type="submit" value="OK" />
}

When the form is submitted no exception is thrown.

继续阅读:asp.netasp.net-mvcasp.net-mvc-3

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9