By Alejandro Villarreal
If you’ve ever dealt with the front-end part of application development in ASP.NET, you might have encountered the following error at some point:
A potentially dangerous Request.QueryString value was detected from the client
This happens when the user submits a value (either in a form or in the query string) that the ASP.NET Framework considers dangerous, in the sense that it might be an HTML/script injection attack.
Sometimes it is necessary to turn that feature off (see here and here on how to do it). It might be the case that you expect the user to provide valid XML/HTML, and thus you don’t want the Framework to abort the request with an Exception. As explained in the links I mentioned before, this can be done by disabling this validation completely in the Web.Config file or on a per-page basis (when working with WebForms), or disabling it for a controller or specific controller actions (when working with MVC).
Since I’m currently working on an application that uses the MVC Framework, this post focuses on the problem I had while trying to disable request validation for specific controller actions.
According to this post by Stephen Walther (and several others), the only thing you need to do is to add the ValidateInput attribute to your ActionMethod, like this:
[ValidateInput(false)]
public ActionResult MyActionMethod(string myParameter)
{
// Method implementation goes here...
}
Seems simple enough… but it just wouldn’t work for me! I kept receiving the “potentially dangerous” error when making a request to the URL that triggered “MyActionMethod”, when “myParameter” included an HTML tag. The method wasn’t even being activated.
After a bit of research I stumbled upon this post, which had the solution. The key was this:
So the MVC team gave us the [ValidateInput(false)] attribute to disable this annoying feature. But just setting it on an action will also fail, you still have to set one more setting at the web.config for this to work (if you are working with asp.net 4)
Oh, I am working with ASP.NET 4! So I had to add this to my Web.Config file:
...
...
As explained in the article (and originally in this whitepaper that explains the breaking changes in ASP.NET 4), previous versions of the Framework only performed request validation for ASP.NET pages (.aspx files and their class files), while version 4 performs it for all requests, before their BeginRequest phase. In my particular scenario, this means that the attributes in the controller don’t even have a chance to act, since the Framework has already decided that the request will be aborted. And that’s why reverting the validation behavior to that in version 2.0 of the Framework (through that additional line in the config file) makes everything work as expected again.
This made me think on how is it that we can prevent request validation on MVC-based applications developed under Framework 4.0 without resorting to that behavior, but couldn’t find any documentation on it. Hopefully Microsoft did think about this and we’ll soon start seeing solutions to that problem…
No comments:
Post a Comment