If you are getting something like the following error message in ASP.NET MVC:
A potentially dangerous Request.Form value was detected from the client (Description=”<p>some HTML text</p>”)
This is because of something called Request Validation, that is a feature put in place to protect your application cross site scripting attacks, as described in a White Paper on ASP.NET:
Many sites are not aware that they are open to simple script injection attacks. Whether the purpose of these attacks is to deface the site by displaying HTML, or to potentially execute client script to redirect the user to a hacker’s site, script injection attacks are a problem that Web developers must contend with.
Script injection attacks are a concern of all web developers, whether they are using ASP.NET, ASP, or other web development technologies.
The ASP.NET request validation feature proactively prevents these attacks by not allowing unencoded HTML content to be processed by the server unless the developer decides to allow that content.
You need to add the following to your action method:
[ValidateInput(false)]
public ActionResult MyAction (int id, string content) {
// ...
}
This is a new feature that was added to ASP.NET MVC RC1 and it will turn off request validation for this action and this action only. However you need to take special precautions to double check your content for script tags, which may indicate a cross site scripting attack. And if you find one make sure to do a simple replace that will render it harmless, such as:
content = content.Replace("<script", "[script").Replace("</script>","[/script]");
The above is not the most bullet proof code, but if you are using the ValidateInputAttribute on your action make sure to do a quick search on XSS or Cross Site Scripting and become familiar with the basics of this kind of attack.
asp.net mvc, Web
got here randomly from stackoverflow, but i think you are doing any potential readers a disservice by posting that script replace bit. furthermore why woudld you replace with brackets instead of html encoding. anyway there are way more ways to inject script than that. like blah
Come on Shawn, was that your best attempt at trying inject script in to my blog? Don’t think that just because I talk about the basics that I am not well protected.
Also there are valid reasons to only replace the scripts tag, like what Jeff does on Stack Overflow with WMD Rich Test Editor. Granted his solution is more elegant, but I am not going for a robust solution here, just a quick and dirty method to get people in the mindset of what they need to look for.
no i was just posting the line not realizing it wouldnt be html encoded. i thought it would show up as text. thats not even what they need to look for. they need to html encode everything, and then whitelist the good stuff. nice blog software though, did you write it?
alert(‘!Oops’)
Will everybody please stop trying to test my input form. It is very well validated as you can see from everybody above. I strip out the script tags and just leave the contents.
<>var i = function(){alert(‘ok’)}<>
<>var i=function(){alert(‘ok’)}
<><> var i=function(){alert(‘ok’)} <><>
<script>var i = function(){alert(’ok’)}</script>
<script type=(’text/javascript’>var i = function(){alert(’ok’)}<>
<script type=’text/javascript’>alert(’ok’)<>
<script type=’text/javascript’>alert(’ok’)</script>
alert(’ok’)
This is hilarious.
< b > test < /b >
Thank you all very much >>> You have many interisted Idea
Nice article.
Probably following msdn link might help as a further reference to someone interested:
http://msdn.microsoft.com/en-us/library/ms998274.aspx
<IMG SRC="javascript:alert('XSS')"
>Why is everybody trying<IMG SRC="javascript:alert('XSS')"
Because everybody thinks they are a hacker. My blog is very well protected, thanks for trying everybody, but you will and are failing.
I realize this post is old, but I was having this dilemma and didn’t want to disable ValidateInput on my actions. So instead and I tied up the javascript submit event and did a encodeURI on the element that could have potentially dangerous content.
Then on the server side it reverses it and when displaying the content you make sure to Html.Encode everything.
For MVC2 and MVC3 this won’t work.
Here is another solution that will work for all:
http://arturito.net/2011/05/26/ckeditor-a-potentially-dangerous-request-form-value-was-detected-from-the-client/
No need to touch web.config or add validation attributes.
Sorry just realised that the link I posted refers to the problem with CKeditor.
var i = function(){alert(’ok’)}
alert(‘tenten’);
I have requirement of validating user input in a text box. Whenever a html tag is entered it should display the same view with friendly error message like “Cannot enter html tags.”
The ways I have tried so far are:
[ValidateInput(true)] on the Controller- It comes up with error “Potentially dangerous request”
[ValidateInput(false)] on the Controller- It stores the value in the database-(I don’t want this)
In the view Model I placed a tag for the property like these
[AllowHtml]
[RegularExpression(@"^[^]*$”, ErrorMessage = “You have entered html… Html is not a valid input!”)]
[Display(Name = "Reason for Absence")]
public string ReasonText { get; set; }
How do I do this?