Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

When I submit HTML characters in my form, why does ASP.NET throw an internal server (500) error?

When I put in HTML characters in my form, such as <br />, ASP.NET throws an internal 500 exception as described here.

A potentially dangerous Request.Form value was detected from the client (Name="<br />").

Ok, so it's protecting me from unencoded characters that could be used for malicious reasons.

The problem is, and this is answered nowhere in my long search, is what to do about it. I.e. my application shouldn't just be throwing a generic internal server error when a user inputs bad characters (what if they're drawing an arrow such as <--).

What would be better is to simply return to the page with a ModelState error that says "Please don't use HTML characters" or something meaningful.

But how is this to be achieved? The error is thrown way before it gets to my code. Also, I don't want to just turn it off via validateRequest="false" and then have to validate every single form in my application for HTML characters and return an error.

Is there a way to leave this type of validation enabled but just handle it differently?

Code for clarification:

Model

Public Class SomeModel
    Public Property SomeField As String
End Class

Controller

<HttpPost>
Function SomeController(ByVal model As SomeModel)
    ' model.SomeField contains some HTML characters :O
    ' but it doesn't matter, since an internal error has occured :(
End Function
like image 941
Rowan Freeman Avatar asked Mar 12 '13 04:03

Rowan Freeman


People also ask

How do you solve 500 Internal server error There is a problem with the resource you are looking for and it Cannot be displayed?

There is a problem with the resource you are looking for, and it cannot be displayed. The first solution to a 500 internal server error is to refresh the page. If the error persists, you may try clearing the cookies, deactivating faulty plugins or themes, fixing the . htaccess file, or contacting your hosting provider.

How do I fix 500 internal server error IIS?

IIS error The error 500.19 is an internal server error often occurring on a server using Microsoft IIS software. It indicates that the configuration data for the page is invalid. To solve the issue, delete the malformed XML element from the Web. config file or from the ApplicationHost.

What is Internal server error in C#?

"500.0 – Internal Server Error" is an IIS Error code meaning that the web service is unavailable. This means the error is with the API, not your client.


2 Answers

Have you tried adding the AllowHtml attribute to the property of your viewmodel?

like image 102
Pablo Romeo Avatar answered Oct 01 '22 12:10

Pablo Romeo


It is definitely possible to show your own error page with whatever message you see fit.
You use customError pages for this.

You can configure these error pages to be shown for the appropriate error code.

<configuration>
   <system.web>
      <customErrors mode="RemoteOnly" redirectMode="ResponseRewrite" 
                    defaultRedirect="GenericError.htm">
         <error statusCode="500" redirect="InternalError.aspx"/>
      </customErrors>
   </system.web>
</configuration>

Displaying a Custom Error Page

On your error page you can detect the last error with Server.GetLastError() and use it show an appropriate message, if you want this case of html data to be handled differently.

like image 42
nunespascal Avatar answered Oct 01 '22 12:10

nunespascal