6

Using MVC5 I use [AllowHtml] on specific model properties to allow HTML to be POSTed up to the server.

In some places in code I want to access the Request params like so:

string wlid = HttpContext.Current.Request.Params["wlid"];

But this fails with a HttpRequestValidationException if any HTML is included in the request, even if the model propertiy is decorated with [AllowHtml].

Is there any way to access HttpContext.Current.Request.Params["wlid"] without completly disabling request validation?

Perhaps disabling request validation, accessing the Request.Params and then enabling it again instantly?

Mr. Flibble
  • 26,564
  • 23
  • 69
  • 100
  • Out of curiosity, have you tried `this.HttpContext.Request.Params["wlid"];` from within your controller? Not sure that will help with this issue, but you really shouldn't be tightly coupling your code to the static `HttpContext` in MVC applications. Also, in MVC you can get access to most parameters simply by adding them as parameters to the action method, as they are supplied to MVC by [value providers](https://stackoverflow.com/a/36606015/). – NightOwl888 Jan 19 '18 at 15:32
  • Have you figured out a solution to this? We are encountering the same issue. – Sen Apr 27 '18 at 19:45
  • @Sen IIRC, we didn't find a solution. We stopped looking though, so one might exist. – Mr. Flibble Apr 28 '18 at 10:53

2 Answers2

5

Request.Unvalidated works as an unvalidated equivalent of Request.Params.

So instead of

string wlid = HttpContext.Current.Request.Params["wlid"];

just use

string wlid = HttpContext.Current.Request.Unvalidated["wlid"];

or better (as suggested in the comments) to avoid coupling with the static member:

string wlid = this.HttpContext.Request.Unvalidated["wlid"];

TL;DR

If you look behind the scenes, Request.Params combines the following data (in this order):

  • QueryString
  • Form
  • Cookies
  • ServerVariables

You can peek its source code here: https://github.com/microsoft/referencesource/blob/master/System.Web/HttpRequest.cs

The key part is:

_params.Add(this.QueryString);
_params.Add(this.Form);
_params.Add(this.Cookies);
_params.Add(this.ServerVariables);

You're right that accessing Request.Params fails with HttpRequestValidationException as it reads the underneath collections which causes the request validation.

Documentation:

When ASP.NET reads the values in HTTP request collections (such as the Form, QueryString, and Cookies collections), it performs request validation. During request validation, ASP.NET examines the posted values and determines whether they contain markup, script, or reserved characters. By default, if ASP.NET detects any of these types of input, it throws an HttpRequestValidationException exception. This helps prevent malicious script injection attacks on your website.

So this works as designed. If you want to bypass ASP.NET request validation, there is a different object for that. It's called Request.Unvalidated and contains query string params, form variables and cookies in the form of its properties:

  • Request.Unvalidated.QueryString
  • Request.Unvalidated.Form
  • Request.Unvalidated.Cookies

Reading these properties does not trigger the request validation so you can use them in your case. If you don't know which of the above properties contains your data, you can just utilize the Request.Unvalidated in the form of Request.Unvalidated["somekey"] as it has an indexer which retrieves data from the Form, Cookies, QueryString, or ServerVariables collections. So it's a pretty close (but not validated!) equivalent of Request.Params.

Be aware that after bypassing the request validation you become vulnerable to cross-site scripting and you must manually validate the data for potential XSS attacks.

piter entity
  • 487
  • 4
  • 15
2

Validation was being triggered any time the Params collection was being accessed.

I was able to use this to get the value we needed

Request.Unvalidated.QueryString["key"]

Note: QueryString is not exactly the same as Params, but for our case the data we needed was in the query string so this worked.

See MSDN for HttpRequestBase.Unvalidated for more information.

Sen
  • 1,438
  • 2
  • 12
  • 19