A potentially dangerous Request.Form value was detected in ASP.NET MVC
If you are getting something like the following error message in ASP.NET MVC:
A potentially dangerous Request.Form value was detected from the client (Description=”<p>some HTML text</p>”)
This is because of something called Request Validation, that is a feature put in place to protect your application cross site scripting attacks, as described in a White Paper on ASP.NET:
Many sites are not aware that they are open to simple script injection attacks. Whether the purpose of these attacks is to deface the site by displaying HTML, or to potentially execute client script to redirect the user to a hacker’s site, script injection attacks are a problem that Web developers must contend with.
Script injection attacks are a concern of all web developers, whether they are using ASP.NET, ASP, or other web development technologies.
The ASP.NET request validation feature proactively prevents these attacks by not allowing unencoded HTML content to be processed by the server unless the developer decides to allow that content.
You need to add the following to your action method:
[ValidateInput(false)]
public ActionResult MyAction (int id, string content) {
// ...
}
This is a new feature that was added to ASP.NET MVC RC1 and it will turn off request validation for this action and this action only. However you need to take special precautions to double check your content for script tags, which may indicate a cross site scripting attack. And if you find one make sure to do a simple replace that will render it harmless, such as:
content = content.Replace("<script", "[script").Replace("</script>","[/script]");
The above is not the most bullet proof code, but if you are using the ValidateInputAttribute on your action make sure to do a quick search on XSS or Cross Site Scripting and become familiar with the basics of this kind of attack.
Tags: ASP.NET, asp.net mvc
Social:
February 4th, 2009 at 6:49 am
[...] to VoteA potentially dangerous Request.Form value was detected in ASP.NET MVC (2/3/2009)Tuesday, February 03, 2009 from Nick BerardiIf you are getting something like the following error [...]
February 4th, 2009 at 7:55 am
[...] Original post: A potentially dangerous Request.Form value was detected in ASP.NET … [...]
February 4th, 2009 at 9:59 am
[...] A Potentially Dangerous Request.Form Value Was Detected in ASP.NET MVC (Nick Berardi) [...]
February 6th, 2009 at 7:53 pm
[...] The above is not the most bullet proof code, but if you are using the ValidateInputAttribute on your action make sure to do a quick search on XSS or Cross Site Scripting and become familiar with the basics of this kind of attack. …Page 2 [...]
February 9th, 2009 at 1:40 pm
got here randomly from stackoverflow, but i think you are doing any potential readers a disservice by posting that script replace bit. furthermore why woudld you replace with brackets instead of html encoding. anyway there are way more ways to inject script than that. like blah
February 9th, 2009 at 7:35 pm
Come on Shawn, was that your best attempt at trying inject script in to my blog? Don’t think that just because I talk about the basics that I am not well protected.
Also there are valid reasons to only replace the scripts tag, like what Jeff does on Stack Overflow with WMD Rich Test Editor. Granted his solution is more elegant, but I am not going for a robust solution here, just a quick and dirty method to get people in the mindset of what they need to look for.
February 9th, 2009 at 7:43 pm
no i was just posting the line not realizing it wouldnt be html encoded. i thought it would show up as text. thats not even what they need to look for. they need to html encode everything, and then whitelist the good stuff. nice blog software though, did you write it?
February 13th, 2009 at 5:12 pm
ASP.NET MVC RC1, ValidateInput, A potential dangerous request and the Pitfall…
In the latest release of ASP.NET MVC, a new attribute ValidateInput is introduced which is same as Web…
February 23rd, 2009 at 6:13 pm
Interesting Finds: 2009-02-07…
Principal (User) ModelBinder in ASP.NET MVC for easier testing ASP.NET MVC – Separation of Concerns with…
July 29th, 2009 at 8:03 am
alert(‘!Oops’)
July 30th, 2009 at 8:23 am
Will everybody please stop trying to test my input form. It is very well validated as you can see from everybody above. I strip out the script tags and just leave the contents.
November 30th, 2009 at 2:46 pm
<>var i = function(){alert(‘ok’)}<>
November 30th, 2009 at 2:47 pm
<>var i=function(){alert(‘ok’)}
November 30th, 2009 at 2:50 pm
<><> var i=function(){alert(‘ok’)} <><>
November 30th, 2009 at 2:51 pm
<script>var i = function(){alert(’ok’)}</script>
November 30th, 2009 at 2:52 pm
<script type=(’text/javascript’>var i = function(){alert(’ok’)}<>
November 30th, 2009 at 2:54 pm
<script type=’text/javascript’>alert(’ok’)<>
November 30th, 2009 at 2:55 pm
<script type=’text/javascript’>alert(’ok’)</script>
November 30th, 2009 at 2:56 pm
alert(’ok’)
December 9th, 2009 at 8:46 am
This is hilarious.
December 10th, 2009 at 7:40 am
< b > test < /b >
January 8th, 2010 at 11:07 am
Thank you all very much >>> You have many interisted Idea