1

Default, .NET has a security to deny user to input HTML text, ex: '<html>'. When submitting a form request which there is an input contains a HTML text, a yellow error page is displayed with error content "A potentially dangerous Request.Form value was detected from the client ...".

I have a question about this problem. Can I configure .NET set ModelState.IsValid = false instead of showing a yellow page? Or is there a solution to solve my problem? I hate yellow page and I want user to know the reason of error as "HTML text is forbidden on field name XXX"

Thanks.

tereško
  • 58,060
  • 25
  • 98
  • 150
Leo Vo
  • 9,980
  • 9
  • 56
  • 78

2 Answers2

0

  1. You shouldn't allow your application display yellow pages at all. For this you should set customErrors mode to On in web.config: <customErrors mode="On" />

  2. You could filter this exception in Global.asax and display the error page you want for this type of exception:

    protected void Application_Error(object sender, EventArgs e)
{
     Exception ex = Server.GetLastError();
     if (HttpContext.Current.IsCustomErrorEnabled)
     {
        var controller = new ErrorController();
        var routeData = new RouteData();
        var action = "AccessDenied";
        if(ex is HttpRequestValidationException)
        {
            action = "XSSError";
        }
        httpContext.ClearError();
        httpContext.Response.Clear();
        httpContext.Response.StatusCode = ex is HttpException ?                     ((HttpException)ex).GetHttpCode() : 500;
        httpContext.Response.TrySkipIisCustomErrors = true;
        routeData.Values["controller"] = "Error";
        routeData.Values["action"] = action;
        ((IController)controller).Execute(new RequestContext(new HttpContextWrapper(httpContext), routeData));
    }
}

    For this you must have ErrorController and XSSError action

There is a lot of discussions here for this theme:

A potentially denegerous request form value

A potentially dengerous request path value

UPDATE:

ASP.NET Request Validation executes before the BeginRequest phase. Here no ModelState exists yet. Above I showed a way to configure asp.net to handle exception thrown by validation generally. In order to let you request with dangerous data go further - you need to turn off asp.net request validation (see links above how to do it) and validate your fields on your own in your action or custom binder.

Community
  • 1
  • 1
Oleksii Aza
  • 5,368
  • 28
  • 35
  • Your answer is not focus to my question. I want to show a model error on submit form instead to show a custom error page. – Leo Vo Nov 27 '13 at 02:21
0

Good question. The yellow page indicates application error (particularly unhandled exception of type HttpRequestValidationException) rather than model validation fail. Thus it's not possible to recover from it, unless you know there to put a try block. I guess it fails somethere in MVC's default validation handler, so unless you override it it's not possible to catch the exception. Unfortunatelly I'm not proficient with MVC enough to say how you can override default validation process.

However for most purposes it's enough to set [AllowHtml] to you data model property in question. After that, exception no longer will be thrown, and you are free to apply manual checks to your VM in controller and can set ModelState errors manually using:

ModelState.AddModelError("msg", "msg field contains html markup");

Petr Abdulin
  • 33,883
  • 9
  • 62
  • 96