Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can a page's ValidateRequest setting be overridden?

Tags:

asp.net-mvc

I have an ASP.NET MVC form that may (usually does) submit a response that would trigger the "A potentially dangerous Request.Form value was detected form the client" error.

To try to get around this, I have placed a ValidateRequest="false" in the page directive.

Only problem: I'm still getting the error!

Now, all was good until I updated to the ASP.NET MVC RC this morning, and (according to the readme), placed the following in the Views web.config:

<pages validateRequest="false"         pageParserFilterType="System.Web.Mvc.ViewTypeParserFilter, System.Web.Mvc, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"        pageBaseType="System.Web.Mvc.ViewPage, System.Web.Mvc, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"        userControlBaseType="System.Web.Mvc.ViewUserControl, System.Web.Mvc, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35">     <controls>         <add assembly="System.Web.Mvc, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" namespace="System.Web.Mvc" tagPrefix="mvc" />     </controls> </pages> 

So, validateRequest should be false for all pages, right? What am I missing?

like image 900
Darren Oster Avatar asked Jan 28 '09 03:01

Darren Oster


People also ask

What is Validate request mode?

Request validation is a feature in ASP.NET that examines HTTP requests and determines whether they contain potentially dangerous content. This check adds protection from mark-up or code in the URL query string, cookies, or posted form values that might have been added for malicious purposes.

Where do I put ValidateRequest false?

The ValidateRequest setting can be set to FALSE in the @Page Directive.


1 Answers

In MVC, validation takes place at the controller level, not at the page level. To see why this is, consider that at the time the controller action is executing, we don't know what view will be chosen to render. (In fact, the controller action might not even render a view at all! It might open a file download prompt on the client instead.) Additionally, if a user is submitting malicious input to the server, by the time the view is rendered it's too late to do anything about it. The controller already will have committed the dangerous input to the database.

Instead, please decorate the controller or action with the attribute [ValidateInput(false)]. This will cause us to suppress request validation for that controller or action.

like image 138
Levi Avatar answered Oct 03 '22 08:10

Levi