Menu
I have an ASP.Net MVC 3 page in which I have an Html.TextAreaFor control, see code below. If I try to submit the page to the http post action with text in angle brackets like: <test>, I get a yellow error screen saying:
A potentially dangerous Request.Form value was detected from the client (RequestText="").
I don't understand why I am getting this because I found an article by Scott Guthrie that says the new <%: %> syntax in .Net 4, will automatically HtmlEncode the element. Since I'm using the <%: %> syntax for the Html.TextAreaFor control, I thought it would automatically take care of this and convert the angle brackets to the proper "<"; and ">" strings.
<% using (Html.BeginForm())
{ %>
<%: Html.ValidationSummary() %>
<h2>Enter a description of the support needed</h2>
<%: Html.TextAreaFor( m => m.RequestText, 4, 90, null) %>
<input type="submit" value="Submit" />
<% } %>
424
We can [AllowHtml] attribute on properties in model or view model to disable request validation. [AllowHtml] attribute allows a request to include HTML markup during model binding by skipping request validation for the property.
Any time you are trying to output data that could include untrusted html, you should use HTMLENCODE . Encodes text and merge field values for use in HTML by replacing characters that are reserved in HTML, such as the greater-than sign ( > ), with HTML entity equivalents, such as > .
HtmlEncode(Object)Converts an object's string representation into an HTML-encoded string, and returns the encoded string. public: static System::String ^ HtmlEncode(System::Object ^ value); C# Copy.
In ASP.NET Web Forms we have a couple of ways to do HTML encoding: ASP.NET 3.5 and below: <%= Html.Encode(data to encode) %> ASP.NET 4: <%: data to encode %> The above approaches help us in mitigating Cross Site Scripting (XSS) attacks in ASP.NET Web Forms. ASP.NET MVC Razor expressions are automatically HTML encoded.
Basically right now, you're encoding the content of the TextAreaFor on the output. This doesn't help you in the slightest since you're trying to deal with input
If you want to submit "potentially dangerous" content, you need to either
1) decorate the RequestText property within your ViewModel with [AllowHtml]. (preferred)
[AllowHtml]
public string RequestText { get; set; }
2) disable validateRequest
<system.web>
<compilation debug="true" targetFramework="4.0" />
<httpRuntime requestValidationMode="2.0" />
</system.web>
Then you must ensure you're appropriately sanitizing that data and/or encoding it in your controller before submitting it to your Repository Layer or Database.
176
You could decorate your RequestText property on the view model with the AllowHtmlAttribute:
[AllowHtml]
public string RequestText { get; set; }
This way you are authorizing the client to submit HTML for this property only.
As far as the <%: %> syntax is concerned, this is used to HTML encode some value before outputting it to the page. It is used to protect against XSS attacks. It is irrelevant in your case because you are not outputting to the page, you are receiving HTML characters in a request.
26
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
