Reputation: 21
.NET MVC3 HttpRequestValidation & JSON
I'm new to MVC3 framework (and .NET overall; Java veteran), so bear with me, but here goes:
Input submitted to a Controller as JSON doesn't seem to be subject to the HttpRequestValidation -- Does that sound right?
I realize if you're receiving data input via JSON you're possibly already doing more work with it, but the Controller Action doesn't seem to necessarily know whether it has JSON data at that point; input values are mapped to parameters just as they would be if they were standard POST params.
Example - I'm asynchronously submitting JSON data to my Controller like the following:
var data = { "title": $titleField.val(), "content": $textArea.val(),
"location": $location.val()
};
$.ajax(submitUrl,
{
type: "POST",
contentType: "application/json; charset=utf-8",
complete: function (data) {
//blah blah
},
dataType: 'json',
data: JSON.stringify(data)
});
}
I then receive the input in my Action:
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult New(string title = "", string content = "", string location = "")
{
//yada yada
}
Doing this, params are mapped and the user can easily send tags, etc. I'm not turning ValidateInput off, and if I submit with a standard POST and remove the Stringify, it throws the error as expected. Any good reason why JSONified data would skip validation?
Edit - More specific question: If JSONified data will pass HttpRequestValidation, how can we protect against the event where someone would intentionally mock a request to send JSON data instead of post params? I haven't found a way to force the Action method to differentiate between params passed as JSON vs. those passed non-encoded.
Upvotes: 1
Views: 407
Answers (2)
Reputation: 21
Got an answer for my question over on asp.net - See 2nd response.
Solution involves replacing the default ModelBinder.
Upvotes: 1
Reputation: 1038820
Any good reason why JSONified data would skip validation?
JSON is encoded => so it ensures that what transits over the wire is safe. When you use JSON.stringify all dangerous characters are encoded.
Upvotes: 0
Related Questions
- Why is JsonRequestBehavior needed?
- JsonRequestBehavior equivalent in Json.Net with Asp.Net Mvc
- Asp net mvc 5 add security to a jsonresult?
- Why RequestValidation not validate on AJAX request?
- How to secure a JsonResult?
- Securing ASP.NET MVC controller action which returns JSON
- Securing JSON and ASP.NET MVC2
- How best to secure Json requests in Mvc app?
- ASP.NET MVC JsonResult and AuthorizeAttribute
- Security Request for JSon Result in Asp.Net MVc