“potentially dangerous Request.Form value”

2
votes

I am getting the error

A potentially dangerous Request.Form value was detected from the client

when I deploy my application (the error does not happen when I run via localhost).

It occurs when submitting a form, because one of the fields contains HTML. I have added [AllowHtml] around the property in the model that corresponds to the offending form-field, but this does not seem to work.

I would rather not use [ValidateInput(false)] on the action method for obvious reasons, and at any rate, that doesn't seem to work either.

Is there any other configuration I need to be doing? I have read that adding 

<httpRuntime requestValidationMode="2.0"/>

to the web config file could fix it, but again I don't want to add that because I still want secure validation for other parts of my application.

Any ideas?

1
c#asp.netasp.net-mvcasp.net-mvc-3

1 Answers

8
votes

[AllowHtml] requires you to add <httpRuntime requestValidationMode="2.0"/> (setting this value doesn't mean that you don't get secure validation, it's just the validation mode). Other parts of the site will be secure, you are disabling validation only for the particular property on your view model.

[ValidateInput(false)] will work but as you said it might be less secure as it disables validation for all properties.

I would stick with [AllowHtml].

UPDATE:

Both [AllowHtml] and [ValidateInput(false)] work out of the box in ASP.NET MVC 3 without the requirement of adding <httpRuntime requestValidationMode="2.0"/> in web.config. This was necessary in ASP.NET MVC 2 running under ASP.NET 4.0

Here's an example:

View model:

public class MyViewModel
{
    [AllowHtml]
    public string Text { get; set; }
}

Controller:

public class HomeController : Controller
{
    public ActionResult Index()
    {
        var model = new MyViewModel
        {
            Text = "<html/>"
        };

        return View(model);
    }

    [HttpPost]
    public ActionResult Index(MyViewModel model)
    {
        return View(model);
    }
}

View:

@model MyViewModel
@using (Html.BeginForm())
{
    @Html.TextAreaFor(x => x.Text)
    <input type="submit" value="OK" />
}

When the form is submitted no exception is thrown.