1

I am trying to encode < and > in a MVC parameter, tried using encodeURIComponent, however the decoding seem to occur prior to reaching the controller and it blows up the routing

public override void RegisterArea(AreaRegistrationContext context)
{
    context.MapRoute(
        "Default",
        "Home/{controller}/{action}/{id}",
        new { action = "Index", id = UrlParameter.Optional }
    );
}

http://localhost/HomeStretch/Home/ListAll?Value=%22%7B%3Cdbid%3E%7BD576959C-31F8-469B-9C23-17B046DF590F%7D%3Cdbid%3E%7D%22"

If I take away the <> carets it works, if I leave them in the call fails. I can do my own silly conversion using a * instead of %, however I am wondering if there is a better way of getting around this?

Turns out this maybe a security issue, I was scouring the event log and found below exception had been thrown. How do I properly insulate my tags, so this won't happen?

Exception information: 
    Exception type: HttpRequestValidationException 
    Exception message: A potentially dangerous Request.QueryString value was detected from the client (Filters[0].Value=""{<dbid>{D576959C-31F8...").
at System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection)
at System.Web.HttpValueCollection.GetValues(String name)
aggaton
  • 3,066
  • 2
  • 25
  • 36
  • Have you seen this: http://stackoverflow.com/questions/5901049/how-to-url-encode-parameters-in-asp-net-mvc – David Tansey Aug 19 '14 at 17:28
  • or this? http://stackoverflow.com/a/3608791/426422 – Mike Cheel Aug 19 '14 at 17:34
  • Not quite the same problem, in that case the issue was that the special character was part of the route name rather than the parameter itself, but you are right, it is within the same area. – aggaton Aug 19 '14 at 17:36
  • @Mike Cheel, I guess the takeaway from that article is to not trust standard functions like encodeURIComponent, write your own. – aggaton Aug 19 '14 at 17:53
  • I was wondering if encodeUri worked over encodeUriComponent for you. Probably not from what I am seeing but I don't know where your url is coming from and how it is being generated. – Mike Cheel Aug 19 '14 at 17:55
  • Are you sure it's the routing that's being messed up and not validation that's giving you problems? Try adding the `[AllowHtml]` attribute above the declaration of the Value property in your model class or above the entire action. – Pluto Aug 19 '14 at 17:55
  • I found that the problem seem to be related to the fact that security intercepts the request, have updated the question with excerpt from the event log. – aggaton Aug 19 '14 at 18:38

1 Answers1

2

Rethink why you're sending the information in this format. The string you show translates to:

Value="{<dbid>{D576959C-31F8-469B-9C23-17B046DF590F}<dbid>}"

ASP.NET is trying to protect you from hackers that might be attempting an injection attack. It sees <dbid>, and it thinks they're probably trying to send HTML to your server.

If you really need to support this sort of input, then you can use the [AllowHtml] on your action to tell ASP.NET that you'll be super careful not to let this input get used without being properly encoded.

But I'd strongly recommend re-thinking why you're sending the information in this way. It seems to me that dbid=D576959C-31F8-469B-9C23-17B046DF590F might work, or perhaps Value={"dbid": "D576959C-31F8-469B-9C23-17B046DF590F"}.

StriplingWarrior
  • 151,543
  • 27
  • 246
  • 315
  • Turns out a colleague had a bug in the db import tool, which was creating these names. But you are right modifying the data slightly to prevent the risk is best. What I do is first run encodeURIComponent on that parameter then replace all % with *, that way preventing a translation. – aggaton Aug 19 '14 at 23:04
  • @aggaton: I don't think that's an appropriate solution. The only danger that ASP.NET is protecting you from is the possibility that you'll use the provided value in a scripted context (like HTML) without properly escaping it. The workaround you describe will require you to decode the *s back to %s, and give you the same value you would have had by using `[AllowHtml]`, but with much higher complexity, and it will still leave you open to the same potential security issues. – StriplingWarrior Aug 19 '14 at 23:12