Reputation: 10239
Umbraco 7 MVC - Request.Form gives me dangerous request error
In the shopping basket of my site, i need to allow a form POST of XML coming from a third-party service.
The possible solutions i can find is for webforms and < Umbraco 7. I'm aware that you can disable page validation entirely, but that's not an option in my case.
Does someone know the equivalent way of using the control <umbraco:DisableRequestValidation runat="server"/> in MVC?
Upvotes: 0
Views: 153
Answers (2)
Reputation: 2525
for security reason, I would suggest try use [AllowHtml] on property which would contain the xml content
so say you viewmodel has property call ThirdPartyContent which will have xml:
public class VM
{
public string Name { get; set; }
[AllowHtml]
public string ThirdPartyContent { get; set; }
}
this implicit state which property you are aware will contain potential malicious content (which is angle bracket)
[ValidateInput(false)] does the trick but will assume all property may contain xml content which may not be good thing
more info checkout this SO answer which say the difference between [AllowHtml] and [ValidateInput(false)]
ValidateInput(false) vs AllowHtml
Upvotes: 3
Reputation: 10239
I found the answer to my own question.
It's possible to set the [ValidateInput(false)] annotation on RenderMvcControllers. So you can do it per document type which is kinda nice.
I'll leave the answer here in case someone else needs to do the same thing.
Upvotes: 1
Related Questions
- C# MVC (Umbraco 8) - Receiving a recurrent warning in home
- umbraco mvc surface controller, can't return view from HttpPost Action
- Umbraco, POST when inheriting from RenderMVCController
- A potentially dangerous Request.Form value was detected
- MVC form POSTING null model
- Umbraco 7 UmbracoViewPage could not be found
- Hijacked Umbraco HttpPost action not firing
- Umbraco 4.11.3 - Current Request on controller type is ambiguous
- Umbraco 5 and asp.net MVC
- asp mvc "A potentially dangerous Request.Form..."