2

I am working on a functionality based on ASP.NET MVC 5 to manage message templates which are rendered as html. Having html-markup in the viewmodel causes some problems.

Those message templates are edited via a WYSIWYG-editor.

Here a basic example of the controller:

public class BlackboardController : Controller
{
    public ActionResult Template()
    {
        return View(new RichTextEditorViewModel()
        {
            Message = "<h1>I'm a headline</h1><p>I'm a regular text...</p>"
        });
    }

    [HttpPost]
    public ActionResult Template(RichTextEditorViewModel model)
    {
        if (!ModelState.IsValid)
            return View(model);

        return RedirectToAction("Template");
    }
}

Basic example of the model:

public class RichTextEditorViewModel
{
    [Required]
    [Display(Name = "Template name")]
    public string TemplateName { get; set; }

    [AllowHtml]
    [Display(Name = "Message")]
    public string Message { get; set; }
}

Part of the view

@using (Html.BeginForm("Template", "Blackboard", FormMethod.Post, new { @class = "form-horizontal", role = "form" }))
{
    <div class="form-group">
        <label class="col-md-4 control-label">Message </label>
        <div class="col-md-8">
            <div class="input-group">
                @Html.TextAreaFor(m => m.Message, new { rows = "20", style = "resize:none;width:400px;", placeholder = Html.DisplayNameFor(m => m.Message), @class = "form-control input-lg textarea-editor" })
            </div>
        </div>
    </div>

    <div class="form-group">
        <div class="col-md-offset-2 col-md-10">
            <input type="submit" value="Save template" class="btn btn-default" />
        </div>
    </div>
}

Everything works fine when I post a html-markup to the controller action. To make that work, I had to decorate the model property containing the markup with the AllowHtml-attribute.

BUT: If the ModelState is not valid, e.g. TemplateName is null, then I still get that HttpRequestValidationException saying:

"A potentially dangerous Request.Form value was detected from the client"

I couldn't reproduce that behaviour with that basic example, but it happens in my more complex web application. On some sites I found the information, that an exception gets thrown if anything touches a property of the Request-property of the controller or view. Tried to work on that, but it didn't seem to help. Also, I don't know what components are actually accessing the request or containing a reference to that request.

How can it be, that I won't see this exception if the ModelState is valid. And how can it be, that the HttpRequestValidationException gets thrown when the ModelState is invalid.

Tom
  • 489
  • 4
  • 10
  • Possible duplicate of [A potentially dangerous Request.Form value was detected from the client](https://stackoverflow.com/questions/81991/a-potentially-dangerous-request-form-value-was-detected-from-the-client) – Kenneth K. Jan 28 '19 at 16:22
  • @KennethK. not a duplicate sind I am using the AllowHtml-attribute and still get a strange behaviour. – Tom Jan 28 '19 at 16:25
  • If you remove the [Required] from TemplateName, does it give you the same error? – Brian P Jan 28 '19 at 16:29
  • @BrianP no I don't get the same error. Somehow it seems to work then. But this property needs to be marked as required. – Tom Jan 28 '19 at 16:40
  • @Tom I am betting that it has to do with route selection. It is looking for a route that does not require the TemplateName. If this is the only place you use the ViewModel, I would remove the required attribute and then manually handle that validation. Also would be good practice to make sure the client side is enforcing it. – Brian P Jan 28 '19 at 17:20
  • @BrianP I just tried that. I get the same error when having an error in the ModelState. `if (string.IsNullOrWhiteSpace(model.TemplateName)) { ModelState.AddModelError(nameof(model.TemplateName), "The template-name is required."); return View(model); }` – Tom Jan 29 '19 at 08:00

0 Answers0