Thursday, March 15, 2012

ASP.NET MVC 3: A Potentially Dangerous Request.Form Value was Detected From The Client

Last week, our users reported a bug that they got the following error back when  submitting some data inside the ASP.NET MVC application we are building:

“A potentially dangerous Request.Form value was detected from the client.”

ValidateInputASPNETMVC

 

This is caused by the ASP.NET request validation. Request validation is actually a good thing since it keeps people from injecting script tags in our application for Cross-Site Scripting ( XSS ) attacks. OK that’s fine, I understand this from a security perspective. But what if the user should be able to enter some special characters in some fields?

AllowHtmlAttribute

Let’s introduce the AllowHtmlAttribute, a property attribute that we can include on model properties to disable request validation on a property by property basis. Now we can turn off request validation just on the properties we want by adding the [AllowHtml] Attribute to it:

public class Order
{
public string Description{get;set;}

[DataType(DataType.MultilineText)]
[AllowHtml]
public string Remarks {get;set;}
}

No comments: