Input

Question

I'm writing a hello world example using ASP.net MVC 2 framework with two text boxes for username and password field.

    <form action=/Home/Index method="post">
        <input type="text" id="UserName" name="UserName" maxlength="100" tabindex="1" autocomplete="off"/>
        <input type="password" id="Password" name="Password" maxlength="15" tabindex="2" autocomplete="off"/>
        <input type="submit" value="submit" />
    </form>

When I input into username field, I get this message

A potentially dangerous Request.Form value was detected from the client (Email=" Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. To allow pages to override application request validation settings, set the requestValidationMode attribute in the httpRuntime configuration section to requestValidationMode="2.0". Example: . After setting this value, you can then disable request validation by setting validateRequest="false" in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. For more information, see http://go.microsoft.com/fwlink/?LinkId=153133.

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (Email="

Someone please tell me how to fix it, it appears sending request is not redirected to my controller yet. Thank you much!

The easiest solution is simply to not allow the brackets in the email address. This mechanism is there to help prevent cross-site scripting attacks. — tvanfosson, Mar 22 '11 at 12:46

score 1 · Answer 1 · edited May 23 '17 at 12:14

The built-in input validation is throwing an exception because of the < character, which could potentially be used in cross-site scripting attacks, etc. Thus, it's intercepting the request and throwing the error before anything gets to your controller just to be on the safe side.

This isn't limited to just the MVC framework, it's an overall ASP .NET thing. There's a pretty good question with some pretty good answers about it here.

score 0 · Accepted Answer · answered Mar 22 '11 at 12:50

0

A few pointers:

First try running the site as as .NET 2.0 rather than 4.0. Are you using IISExpress? If so there is a switch to set the CLR to version 2. see here:

http://learn.iis.net/page.aspx/870/running-iis-express-from-the-command-line/

Next the system will always look for HTML chars in the posted data as this is an indication of cross site scripting attacks. If you expect these values to contain HTML chars then you can add an exception on the controller action like so:

[ValidateInput(false)]
public ActionResult ActionName(ModelType model)
{
   ....

  return View();
}

answered Mar 22 '11 at 12:50

Richard

21,728
13
62
101

Request validation has been around since 2.0 – matt-dot-net Mar 22 '11 at 17:35
Yes it has. I was was pointing out that if you run IISexpress, by default it runs as .NET 4.0 which causes problems on MVC 2.0 sites and so you have to configure to requestValidationMode="2.0" in the web.config. Choose .Net 2.0 clr avoids this issue – Richard Mar 23 '11 at 13:02

Input

2 Answers2