MVC Side effect of using [HttpPost, ValidateInput(false)]

Question

I have a TextArea in my strongly typed View defined with

@Html.TextAreaFor(x => x.Text)

My controller Action originally looked similar to this:

[HttpPost]
public ViewResult Index(MyViewModel vm)
{
    using (var db = new MyEntities())
    {
        Post p = new Post();
        p.Text = vm.Text;
        db.Posts.AddObject(p);
        db.SaveChanges();
    }
    return View();
}

This worked fine. The text the user entered into the TextArea was passed into the controller and saved into the Post table in SQL Server via Entity Framework. The data type for this field is varchar(1000). (There is also Model validation on the Text field using MetadataType with [StringLength(1000)] validation.)

I noticed that if I tried to copy some HTML source and paste it into the TextArea and submit it, I received the following error:

"A potentially dangerous Request.Form value was detected from the client"

The error led me to this question, and the take away from there was that I could simply add

[HttpPost, ValidateInput(false)]

to my Action to stop that type of validation. This worked wonderfully, but to my surpise, no matter what I tried putting into the TextArea, I couldn't cause any problems. If I paste in javascript, html or T-SQL statements riddled with quote characters, it still works fine. I see the exact characters I entered into the TextArea appearing in the SQL table, and if I display the text back to the View, I see in the source each character is converted to the HTML counterpart, and the display on the screen looks just like it did when I entered it in. I did not do any sort of text conversion to accomplish this. It seems by default everything is working exactly as I want it to. Of course I'm glad for this, but when I read about disabling the validation, it is often followed with a warning that you should understand the consequences of doing this, and I don't think I do. So I wonder, what are the consequences? Is there anything someone could possibly type into my TextArea that could mess things up as a result of disabling the input validation?

In case it's relevant, my particular setup is MVC4, .NET 4.0, Entity Framework 4.4, SQL Server 2012 Express.

Answer 1

If you are using razor any text that you output will automatically be encoded which will appear as text in the browser but not be interpreted as javascript etc.

If you are turning validation off you have to be very careful to ensure that you are encoding all user input whereever you display it so that you dont inadvertently run some javascript on your page due to somethign a user entered (look at XSS for some examples).

You can test quickly (althought not an exhaustive search) by adding some kind of javascript alert('hello') call to various varchar fields in your database and see if it gets called when you visit the page.

Also even if you arent displaying the user data it may have implications depending on how you do your data access.

Even if you use something like entity framework you are not protected from sql injection for instance if you used stored procedures and did not do validation checking on the input. See Troy Hunt's article on this