How to show a nicer error then :"A potentially dangerous Request.Form value was detected from the client"

Question

While doing some hacking on my own site I encountered (after some googling) a common problem.

"A potentially dangerous Request.Form value was detected from the client may it be a XSS attempt or a malicious character

case 1 : A potentially dangerous Request.Form value was detected from the client (Firstname ="<script> alert("x");...").

case 2 : A potentially dangerous Request.Form value was detected from the client (*)."

The asp mvc team did a good job catching the error for me but how do I show a nicer error to my users. for example "Something happened, please repeat your steps, if this messegage appears again please contact person x ...".

Solution for asp MVC developers.

1. Create an ErrorController with a Index
2. Add the following line to your web.config :

<customErrors mode="On" defaultRedirect="~/Error/Index"/>

1. Write tests to check the controller operations.
2. Don't forget to create the actual view.

Optional you might want to put mode="RemoteOnly"

Note for more information on CustomErrors attributes : customErrors Element

Answer 1

It's not MVC-specific. ASP.Net webforms will give you the same error.

I think you should use Custom Error Pages. Custom error pages are defined in Web.config like:

<customErrors mode="RemoteOnly" defaultRedirect="~/Error.aspx"/>

For more information about custom error pages, visit http://aspnetresources.com/articles/CustomErrorPages

Also, you can handle Global.asax Application_Error event to do whatever you want.

Microsoft has a very nice article including source code which does exactly what you want to do (and more). check it out at http://support.microsoft.com/kb/306355

Answer 2

Here is another way that is MVC specific:

• Create a custom FilterAttribute that implements IExceptionFilter
• from inside the FilterAttribute, you can redirect to the controller or view to be used to display the error.
• register the filter in the Global.asax or attribute your controllers

This has the advantage that you can show a different error page only for HttpRequestValidationException.

public class HttpRequestValidationExceptionAttribute : FilterAttribute, IExceptionFilter {
    public void OnException(ExceptionContext filterContext) {
        if (!filterContext.ExceptionHandled && filterContext.Exception is HttpRequestValidationException) {
            filterContext.Result = new RedirectResult("~/HttpError/HttpRequestValidationError");
            filterContext.ExceptionHandled = true;
        }
    }
}