CODEWITHSUNDEEP
asp.net-mvcasp.net-mvc-3httprequest
1110
1110

Reputation: 6839

Dangerous Request.Form value was detected from the client - why?

I read all other posts here that are related to this error. Maybe I am missing something here but I don't know what. I am using textArea to input text in it (html text).
This text area is bounded to my domain class property

public class SomeClass{
...
[AllowHtml]       
        public string CommentText { get; set; }
...
}

I have also tried to add [ValidateInput(false)] attribute but nothing. But by reading error text I see that request doesn't even come to controller it is broken in Application_BeginRequest(). This is error message:

A potentially dangerous Request.Form value was detected from the client (CommentText="<p>ddd</p>")
Line 23:         protected void Application_BeginRequest(Object sender, EventArgs e)
Line 24:         {
Line 25:             if (HttpContext.Current.Request["RequireUploadifySessionSync"] != null)
Line 26:                 UploadifySessionSync();
Line 27:         }

Source File: D:\Projects\...\Global.asax.cs    Line: 25 

Stack Trace: 


[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (CommentText="<p>ddd</p>").]
   System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +8755668
   System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, RequestValidationSource requestCollection) +122
   System.Web.HttpRequest.get_Form() +114

I know that I can turn off check ok whole application in web config. But I need this only in one case (to allow HTML input).
More strange is that this works a few days ago and I didn't change anything here, just login and logout users.
What am I doing wrong here?
Ok now I remove this code fom global.asax:

if (HttpContext.Current.Request["RequireUploadifySessionSync"] != null)
                UploadifySessionSync();

And now it works. But I need this code here. Why is it produce this error?

Upvotes: 2

Views: 3130

Answers (2)

Justin Helgerson
Justin Helgerson

Reputation: 25551

Your specific issue is that you've got code looking at the request parameters in BeginRequest which is earlier in the ASP.NET pipeline than when your models are bound (where an AllowHtml or ValidateInput attribute would come into play).

It looks like you are enforcing security around a flash upload with your code (I am doing something very similar.

In my case I ended up just catching an HttpRequestValidationException in the BeginRequest method and swallowing the exception. It is not best practice, but the validation will be performed later in the pipeline so you still have control over the validation.

Upvotes: 0

Luke
Luke

Reputation: 1926

This has already been answered.

Previous Question

You need to change the way your handling request validations to revert it back to 2.0

Upvotes: 3

Related Questions