Where to put 'Replace' code?

Question

I am developing MVC application and am testing it now.

I am trying to insert <test> in the Database for address field. As it contains anguler brackets it's giving an error. For that I use the below code in controller.

[HttpPost]
public ActionResult Create(Employee employee)
{
    if (ModelState.IsValid)
    {
        employee.Address.Replace("<", "&lt;").Replace(">", "&gt;");
        db.Employees.Add(employee);
        db.SaveChanges();
        return RedirectToAction("Index");
    }

    ViewBag.ReportsToId = new SelectList(db.Employees, "Id", "FirstName", employee.ReportsToId);
    return View(employee);
}

But cursor didn't come to this code. Where to write replace code?
Before cursor comes to that code, it's giving an error:

A potentially dangerous Request.Form value was detected from the client (Address ="<test>").

score 2 · Answer 1 · edited May 23 '17 at 11:43

2

Read this answer for similar question.

Conclusion: Use the [AllowHtml] attribute over the Address property or change the web.config to use requestValidationMode 2.0:

<configuration>
   <system.web>
     <httpRuntime requestValidationMode="2.0" />
   </system.web>
   <pages validateRequest="false">
   </pages>
</configuration>

edited May 23 '17 at 11:43

Community

1
1

answered Aug 28 '12 at 07:46

bjorncs

1,250
11
20

1

And of course thank the hand that typed this by marking the question as answered – Mihai Labo Aug 28 '12 at 07:53
Thanks, but I dont want to use [AllowHtml], I just want to replace brackets. – nilesh1foru Aug 28 '12 at 07:58

score 2 · Answer 2 · answered Aug 28 '12 at 08:11

2

Change employee.Address.Replace("<", "<").Replace(">", ">"); to employee.Address = employee.Address.Replace("<", "<").Replace(">", ">");

This way it is taking the employee.Address string and replacing the < and > symbols then saving the string back to employee.Address.

Also it may need to be before the if (ModelState.IsValid) part.

answered Aug 28 '12 at 08:11

Garrett Fogerlie

4,450
3
37
56

I have tried the above code , but still the error comes....Cursor didn't come to this code at all. – nilesh1foru Aug 28 '12 at 09:10
@nilesh1foru if it doesn't work for you, then why did you mark it as answered? Just wondering... – Kris van der Mast Aug 28 '12 at 09:23
@nilesh1foru did you see my update here: http://stackoverflow.com/a/12153441/985284 and post what error you get if you can, so we can help figure it out. – Garrett Fogerlie Aug 28 '12 at 10:42

score 1 · Answer 3 · answered Aug 28 '12 at 23:50

There are two problems in your code that you have to solve.

First, as you pointed out, the error:

A potentially dangerous Request.Form value was detected from the client (Address ="<test>").

This error happens because, for the sake of security, MVC does not allow such string (your is like some html element) to be sent to your action method by default. That is to prevent the user submit some dangerous input to attach your site. For example, rather than , you could type alert('hahaha'), and if you does not encode that input, everyone access the page that contains this address field will get an alert box. And that is why you cannot get to the "Replace code" when debugging, the whole method just won't run because of this error.

That said, there are many options to solve this first error, but you can simply add a ValidateInput attribute to your action method.

[HttpPost]
[ValidateInput(false)]
public ActionResult Create(Employee employee)

By doing this, you are telling MVC to trust you that you will encode that dangerous input at some point. And you are doing that by the Replace code. That is pretty fine. But if you are just using @yourTable.Address to render the data in some view, you don't need to bother Replacing < and > in your action code. MVC Razor engine would do the encoding for you when you are rendering the data through @yourTable.Address syntax.

Where to put 'Replace' code?

3 Answers3