potentially dangerous Request servicestack

Question

I am submitting a query string that contains a value Body=%3Ch2%3E (Body=<h1>) to a servicestack rest endpoint. That results in:

A potentially dangerous Request.QueryString value was detected from the client (Body=\"<h2>\").

I know that in MVC 4 you can allow Html content for an specific field, if you decorate the field in the model with [AllowHtml] like so:

[AllowHtml] public string Body { get; set; }

Did that, but the error persists. Had doubts that it was service stack not partaking properly in the validation process, so tested by creating a pure MVC 4 controller with the same model, and that works fine.

However I need a solution for ServiceStack. Their documentation is thin and Google searches lead nowhere.

Answer 1

It looks like you are hosting your ServiceStack service inside an ASP.NET application.

You could add the following to the <system.web> section of your web.config file in order to disable request validation for the entire application:

<system.web>
    <httpRuntime requestValidationMode="2.0" />
    ...
</system.web>

And if you want to disable request validation only for a particular endpoint and not the entire application use the <location> tag in your web.config:

<location path="hello">
    <system.web>
        <httpRuntime requestValidationMode="2.0" />
    </system.web>
</location>  

This will disable request validation for all /hello endpoints in your application. For example /hello?Body=%3Ch2%3E will work but /bar?Body=%3Ch2%3E won't work.

You can read more about request validation in ASP.NET in the following MSDN article.

And obviously you should not be worried about this if you are self-hosting your ServiceStack service.