开发者

Handling 'A potentially dangerous Request.Form value was detected from the client'

I am trying to figure out how to handle this error.

A potentially dangerous Request.Form value was detected from the client

The error occurs when a user enters in html or xml tags( <p> or <HeyImXML>) and tries to submit a form. The input is not supposed to contain any sort of markup at all, just plain text.

I am using model binding validation in ASP.NET MVC 2.0 along with Html.EnableClientValidation. This works fine as long as there is no markup entered.

What is the best approach on how to avoid this error message?

My guess is to write a new validation class which checks for this kind of markup?

I want to catch the error in this specific instance. To clarify there is an area with a form for siteadmins that can enter markup and there is a normal users area where they can n开发者_JAVA百科ot enter markup. However this error page appears when a normal users enters markup. My question is, how do I handle this to prevent the site from crashing and showing the error page. I want to display a cleaner error.


MVC will automatically protect your application from some html injection and cross-site scripting (XSS) attacks. This is why you will get the "A potentially dangerous Request.Form value was detected from the client (...)" by default when attempting to post html/javascript.

However, we may sometimes want to allow our users to post html. You might just want to allow users to use characters such as "›", or it might be because your implementing blog functionality and want to support tags like ‹h1›, ‹div›, etc. This can easily be accomplished with MVC by disabling request validation.

Add [ValidateInput(false)] attribute to the action method in the controller you are calling. This will disable request validation for the entire model on the specific action.

Another way is to add the [AllowHtml] attribute to the property which requires html in your model.

These two attributes will only allow html/javascript to GET IN to your application, but MVC will still output them safely by using html encoding. If you want to output it like html, you can use the @Html.Raw(@Model.Content). But use this with caution, since this will open your application to cross-site scripting attacks (XSS)!

i found this solution from some one's blog

also see below code for your solution

you can handle errors within your application in the following way

1. Setting the CustomErros mode section in your Web.Config file of your application

This the lists of options the mode attribute can accept.

RemoteOnly: Generic error pages are shown for remote users. Rich error pages are shown for local requests (requests that are made from the current computer). This is the default setting.

Off: Rich error pages are shown for all users, regardless of the source of the request. This setting is helpful in many development scenarios but should not be used in a deployed application.

On: Generic error pages are shown for all users, regardless of the source of the request. This is the most secure option.

 <System.Web>
  //map all the erros presented in the application to the error.aspx webpage
 <customErrors mode="RemoteOnly" defaultRedirect ="~/error.aspx" />
<System.Web>

2. throught Global.asax file in the Application_Error function

 //handle all the errors presented in the application
  void Application_Error(object sender, EventArgs e){  
 Server.Tranfer("error.aspx");
}

I hope this works for you.

from stackoverflow solution


This was introduced early on in ASP.Net to try to help prevent script injection attacks. It isn't unique to MVC.

If you don't want this feature, you can turn it off and write your own.

To disable request validation on a page, set the validateRequest attribute of the Page directive to false:

<%@ Page validateRequest="false" %>

To disable request validation for your application, modify Web.config - set the validateRequest attribute of the <pages /> section to false:

<configuration> 
    <system.web> 
        <pages validateRequest="false" /> 
    </system.web> 
</configuration> 
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜