-1

I am coding a MVC 5 view, and have a question in regards to detecting a HttpRequestValidationException.

Here is the controller code:

public async Task<ActionResult> TestView()
{
    return View();
}

[HttpPost]
[ValidateAntiForgeryToken]
public async Task<ActionResult> TestView(TestModelViewModel testModelViewModel)
{
    return View("Index");
}

Here is the view code:

@model CanFindLocation.ViewModels.TestModelViewModel

@{
    ViewBag.Title = "TestView";
}

<h2>TestView</h2>

@using (Html.BeginForm())
{
    @Html.AntiForgeryToken()

    @Html.ValidationSummary(true, "", new { @class = "text-danger" })

    <div class="form-group">
        <label class="control-label col-md-2" for="txtExpiryMonth">Expiry Month</label>
        <div class="col-md-10" id="txtExpiryMonthDivClass">
            <input class="form-control text-box single-line" id="txtExpiryMonth" name="ExpiryMonth" type="text" value="" />
        </div>
    </div>

    <div class="form-group">
        <div class="col-md-offset-2 col-md-10">
            <input type="submit" value="Create" class="btn btn-default" />
        </div>
    </div>

}

I can enter in some HTML code as follows in the ExpiryMonth form control:

<html>

The <html> code is currently permitted to be in the form control, and the following error is NOT shown after the submit button is pressed:

Server Error in '/' Application.

A potentially dangerous Request.Form value was detected from the client (name="").

Description: ASP.NET has detected data in the request that is potentially dangerous because it might include HTML markup or script. The data might represent an attempt to compromise the security of your application, such as a cross-site scripting attack. If this type of input is appropriate in your application, you can include code in a web page to explicitly allow it. For more information, see http://go.microsoft.com/fwlink/?LinkID=212874.

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (name="").

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

How do I PREVENT users from entering in malicious code? When I scaffold a controller, with views (my above code is NOT done from scaffolding), the above error is displayed.

Thanks in advance.

EDIT

I do not want to allow a user to enter in HTML code, I wish to prevent a user from entering in HTML code. How do scaffolded views do this? What code do I need to add to my view/controller so that the error page is shown when HTML code is entered in the view?

Simon
  • 7,991
  • 21
  • 83
  • 163
  • Related: http://stackoverflow.com/questions/81991/a-potentially-dangerous-request-form-value-was-detected-from-the-client – Soner Gönül Mar 05 '15 at 12:05

2 Answers2

0

The application is doing exactly what it should do. The field does not allow HTML, so if someone posts HTML, there's a server error. This is a perfectly valid response. If the user is jacking around with the request data, then it's appropriate to return a server error.

Chris Pratt
  • 232,153
  • 36
  • 385
  • 444
  • There is no server error. The user CAN enter invalid data. That is the problem. How can i PREVENT the user from entering invalid data and thus show the error? – Simon Mar 05 '15 at 15:07
-1

You can add this to your post action and add htmlencode to your code

[ValidateInput(false)]
Owain van Brakel
  • 3,109
  • 1
  • 15
  • 22