1

I am calling a controller function from Ajax in my view 

$.ajax({
    type: "POST",
    url: "@Url.Action("GetSelectedItemsForRoleId","User")",
    data: { optionLabel: '@CommonResource.DropdownNoValueText', optionValue: null, selectedValue: null, filterValue: 0 },
    success: function (result) {
        alert('success');
        var departmentDropdown = $('#RoleId').data("DropDownList");
        departmentDropdown.setDataSource(result);
    },
    error: function(XMLHttpRequest, textStatus, errorThrown)
    {
        alert('XMLHttpRequest ' + XMLHttpRequest);
        alert('textStatus ' + textStatus);
        alert('errorThrown ' + errorThrown);
        //some stuff on failure
    },
    dataType: "json",
    traditional: true,
    async: false
});

CommonResource.DropdownNoValueText is -Välj-

I get the following error in failure block :

potentially dangerous request.form value was detected from the client

My controller signature looks like this: 

public ActionResult GetSelectedItemsForRoleId(string optionLabel, string optionValue, string selectedValue, int filterValue)

I tried to put ValidateInput annotation above this function and set it to false.
After doing that the string appears as -Välj-.
What is the cause of this and how can I derive the original text i.e. -Välj-?

Update:
I have further tried with two things:

  1. I replaced @CommonResource.DropdownNoValueText directly with -Välj-. Now I don't get any error.(But this isn't the correct solution as this won't resolve the lingustic feature).
  2. I replaced DropdownNoValueText in CommonResource with something else like eee which also does not give error.(But even this isn't the solution).
Nitish
  • 13,845
  • 28
  • 135
  • 263
  • Related, possibly duplicated http://stackoverflow.com/questions/81991/a-potentially-dangerous-request-form-value-was-detected-from-the-client – Tomalak Oct 09 '13 at 12:41
  • This is because the ModelBinder is encountering some characters which it thinks are hostile, usually `<` or `>` in a XSS attempt. – Rory McCrossan Oct 09 '13 at 12:43
  • I guess the issue is because of ä character. – Nitish Oct 09 '13 at 12:46
  • 1
    @Tomalak : I can't place validateFalse in Pages as it would lead to incorrect or harmful input data. I am applying this only on dropdown and this string value is hardcoded. – Nitish Oct 09 '13 at 12:48

1 Answers1

0

I had the similar problem with both Swedish and Spanish characters. We used method HttpUtility.JavaScriptStringEncode which encoded characters from strings and caused ampersand followed by hash symbol:

puntuaci&#243;n

which in turn caused .NET's security reaction (error returned).

Solution was to change default encoder used by classes HtmlUtility to not use default encoder (HtmlEncoder) but rather AntiXssEncoder which doesn't encode characters such as special Swedish or Spanish characters because they are harmless (cannot be used in XSS attack).

After this, Swedish/Spanish characters aren't encoded and consequently &# string is avoided too, so .NET's security reaction (error) is avoided.
This change is in config file and probably has global effect:

<httpRuntime encoderType="System.Web.Security.AntiXss.AntiXssEncoder"/>

Just to add some information about avoiding cause of situation - unsuccessful attempt of resolving this issue was to use HttpUtility.HtmlEncode instead of HttpUtility.JavaScriptStringEncode which changed string to :

puntuaci&amp;#243;n

so that &amp; was used instead of &# which avoided problem but caused other unwanted side-effects.

Ivan Golović
  • 8,732
  • 3
  • 25
  • 31
  • Further experiences with this issue - problem again happened with Russian language, so `Server.HtmlEncode` in `.cshtml` was used and `Server.Html.Decode` was used in controller method, along with `[ValidateInput(false)]` as attribute of controller method. – Ivan Golović Dec 22 '21 at 19:33