0

I have an MVC C# application working and all is good, however, I have just found something bad.

I have a form that allows input text. Of course, that input text is rendered using an HTML helper.

The corresponding model field is something like this:

    [Required]
    [StringLength(50, ErrorMessage = "El {0} debe tener como máximo {1} caracteres.")]
    [Display(Name = "Nombre")]
    public string Nombre { get; set; }

Well... as I said, it works, however, when I enter < in the form field, this error occus:

A potentially dangerous Request.Form value was detected from the client (Nombre=&quot;&lt;Normal&quot;).

And the form is not actually submitted.

The question is: is there already a data annotation filter that allows me to strip dangerous characters automatically, before posting? If not, how can I create one? Should I add an annotation filter at class or property level? If at property level, I will need to go through all model classes adding the attribute to the string properties. Maybe I could create an action filter also, but I think this could be insecure if the site is actually being attacked.

What are your thoughts?

Thanks Jaime

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
jstuardo
  • 3,901
  • 14
  • 61
  • 136
  • Please state how this question is not a duplicate of https://stackoverflow.com/questions/81991/a-potentially-dangerous-request-form-value-was-detected-from-the-client – Caius Jard Feb 15 '21 at 21:49
  • Does this answer your question? [A potentially dangerous Request.Form value was detected from the client](https://stackoverflow.com/questions/81991/a-potentially-dangerous-request-form-value-was-detected-from-the-client) – Ian Kemp Feb 15 '21 at 21:50
  • @CaiusJard is not duplicate – jstuardo Feb 16 '21 at 10:53
  • @IanKemp that does not answer. I don't want to configure validate request to false because that will be insecure. As I asked, I need to allow the request, but before posting the model, content should be cleaned when it is string. I am thinking about adding an attribute to each string field, so that, before posting, all dangerous characters will be removed. – jstuardo Feb 16 '21 at 10:56
  • Notice also that those fields are not for storing HTML. I have other fields for HTML and I have implemented solutions from those posts, but most of string fields are not for storing HTML.That is why I need to remove or replace entities. For example, if user enters `<` in the field, that character should be removed or replaced by `<`, and so on. – jstuardo Feb 16 '21 at 11:06

0 Answers0