Encode HTML before sending to Controller/DB

Question

A potentially dangerous Request.Form value was detected from the client (Body="").

This error is occurring when I try to enter something like  in my comments field and send it. I've searched and only thing I find is to disable validation for dangerous data altogether, but I don't want to disable it since then my site will be vulnerable.
What I want is to encode it before sending or something along these lines so it will send the data, just encoded.

possible duplicate of [A potentially dangerous Request.Form value was detected from the client](http://stackoverflow.com/questions/81991/a-potentially-dangerous-request-form-value-was-detected-from-the-client) — Bertrand Marron, Jul 25 '11 at 22:58

score 11 · Accepted Answer · edited Jun 13 '14 at 01:14

11

If you're using .net 4 you can decorate your model with [AllowHtml] which will let just that specific property through. You can then sanitize it in the controller logic.

public class MyViewModel
{
    public string prop1 { get; set; }

    [AllowHtml]
    public string prop2 { get; set; }
}

edited Jun 13 '14 at 01:14

Chris Moschini

36,764
19
160
190

answered Jul 25 '11 at 22:57

Richard Forrest

3,567
2
23
32

1

-1 OP stated he didn't want to disable or sidestep validation. He's right to NOT want to do that - very bad security practice to disable validation. – Tim Jul 25 '11 at 22:59
@Tim Thats why I suggested a per property solution not per request and suggested that the value was sanitized at the controller – Richard Forrest Jul 25 '11 at 23:12
I missed that part when I first read your answer. Sorry for the downvote. – Tim Jul 25 '11 at 23:20
Well this approach works with Microsoft AntiXSS libraries, but then if I want to show something in
(code) tags it just removes it. Maybe it is better idea to just do a replace on it like forums do? [b] will be replaced to etc.. Since all I need is Bold/Italic/Underline/Link/Img/Code
– Stan Jul 26 '11 at 08:25

score 8 · Answer 2 · answered Jul 25 '11 at 23:01

8

Why not simply use the HttpUtility.HtmlEncode method?

string encodedHTML = HttpUtility.HtmlEncode(unencodedString)

You might also look into Microsoft's Anti-XSS Library.

answered Jul 25 '11 at 23:01

Tim

28,212
8
63
76

Tim, your answer lacks context completely. What are you trying to do with that `HtmlEncode`? `` is NOT ``. Storing the html encoded version in your database would be very wrong. – Bertrand Marron Jul 25 '11 at 23:09
I wasn't suggesting (or at least that wasn't my intention) to store the encoded version in the database. I was simply stating that taking unsanitized HTML as input is never a good idea. – Tim Jul 25 '11 at 23:22
1

What is wrong with posting an HTML string as long as it's properly encoded when you write it back to an HTML output? – Bertrand Marron Jul 25 '11 at 23:27

score 0 · Answer 3 · answered Jul 25 '11 at 23:01

0

what about adding a javascript event on the submit button, which encodes the textvalues before sending the form?

try encodeURI or encodeUriComponent

answered Jul 25 '11 at 23:01

nWorx

2,145
16
37

User can just disable JS and input whatever he wants then. – Stan Jul 26 '11 at 07:55

Encode HTML before sending to Controller/DB

3 Answers3