I installed MVC 3 RC, was using MVC 3 Beta before. On controller actions that have the ValidateInput(false) attribute now break, meaning that I get a potentially dangerous input error message when submitting HTML tags. I've been reading about the SkipRequestVerification
attribute, but that applies to model attributes. In my situation, various actions will use the same generic model so I can't apply it on the model itself but rather on the action as some will allow html tags and some will not. Also, my model is in another
assembly so am I to assume that this assembly which holds nothing but linq to sql models, should reference System.Web.Mvc just for this attribute?? Is there any way to disable this SkipRequestVerification processing? Or does anyone know why suddenly ValidateInput
stopped working?
So I created a blank MVC 3 RC site. I discovered that an action method that has FormCollection as a parameter will result in a potentially dangerous input error even with ValidateInput(false). But an empty method signature does not cause an error.
"<html></html>" is submitted in both cases below.
--This does not cause an error
[ValidateInput(false)]
public ActionResult Test()
{
return View("~/Views/Home/About.cshtml");
}
--This causes error
[ValidateInput(false)]
public ActionResult Test(FormCollection Values)
{
return View("~/Views/Home/About.cshtml");
}
Does anyone know why this is in RC and how to resolve this?
We've made some under-the-covers changes to how request validation works. The short of it is that in the past any input submitted to your application caused a validation error, even if your application did not actually ever look at that input. In MVC 3 we've
made it so that in certain scenarios (for example model-binding to models using SkipRequestValidation) request validation is performed on-demand or does not happen at all. However, not all scenarios currently support this and binding to a FormCollection falls
into that category. We will consider improving this scenario, though no promises right now.
Regarding why your ValidateInput(false) attribute has no effect, this is related to the fact that request validation got moved to a different point in the ASP.NET processing pipeline in .NET 4 and this attribute will not work in this particular scenario
unless you specify
2.0-mode request validation.
Please post a stack trace of the exception along with the controller code that's causing the exception. That would help us determine what changes we would need to make to our request validation implementation to make this scenario
start working again.
A potentially dangerous Request.Form value was detected from the client (UserName="<abddd").
Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. To allow pages to override application request validation settings, set the requestValidationMode attribute in the httpRuntime configuration section to requestValidationMode="2.0". Example: <httpRuntime requestValidationMode="2.0" />. After setting this value, you can then disable request validation by setting validateRequest="false" in the Page directive or in the <pages> configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. For more information, see http://go.microsoft.com/fwlink/?LinkId=153133.
Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (UserName="<abddd").
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (UserName="<abddd").]
System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +8730740
Microsoft.Web.Infrastructure.DynamicValidationHelper.DeferredValidator.EnsureEntryValidated(NameObjectEntryWrapper nameObjectEntry) +165
Microsoft.Web.Infrastructure.DynamicValidationHelper.ValidatingArrayList.get_Item(Int32 index) +56
System.Collections.Specialized.NameValueCollection.GetKey(Int32 index) +16
System.Collections.Specialized.NameValueCollection.Add(NameValueCollection c) +68
System.Web.Mvc.FormCollection..ctor(NameValueCollection collection) +49
System.Web.Mvc.FormCollectionModelBinder.BindModel(ControllerContext controllerContext, ModelBindingContext bindingContext) +62
System.Web.Mvc.ControllerActionInvoker.GetParameterValue(ControllerContext controllerContext, ParameterDescriptor parameterDescriptor) +319
System.Web.Mvc.ControllerActionInvoker.GetParameterValues(ControllerContext controllerContext, ActionDescriptor actionDescriptor) +116
System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName) +345
System.Web.Mvc.Controller.ExecuteCore() +115
System.Web.Mvc.ControllerBase.Execute(RequestContext requestContext) +94
System.Web.Mvc.ControllerBase.System.Web.Mvc.IController.Execute(RequestContext requestContext) +10
System.Web.Mvc.<>c__DisplayClassb.<BeginProcessRequest>b__5() +37
System.Web.Mvc.Async.<>c__DisplayClass1.<MakeVoidDelegate>b__0() +21
System.Web.Mvc.Async.<>c__DisplayClass8`1.<BeginSynchronous>b__7(IAsyncResult _) +12
System.Web.Mvc.Async.WrappedAsyncResult`1.End() +55
System.Web.Mvc.<>c__DisplayClasse.<EndProcessRequest>b__d() +47
System.Web.Mvc.SecurityUtil.<GetCallInAppTrustThunk>b__0(Action f) +7
System.Web.Mvc.SecurityUtil.ProcessInApplicationTrust(Action action) +23
System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +59
System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result) +9
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +8836977
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +184
Thanks for the sample. We're seeing what we can do about this for the next release. You should be able to work around it in the meantime by changing your controller code to the following:
[HttpPost]
[ValidateInput(false)]
public ActionResult LogOn(LogOnModel model, string returnUrl) {
FormCollection form = new FormCollection(Request.Unvalidated().Form);
\\ ...
}
The Request.Unvalidated() extension method is located in the System.Web.Helpers namespace.
Marked as answer by hjf1223 on Nov 11, 2010 02:27 AM
I'm not having much luck on the MVC 3 ugrade. On pages that have controller actions for both get and post I'm receiving errors on the Get related to antiforgery.
Exception Details: System.ArgumentNullException: Buffer cannot be null.
Line 35: <% Html.EnableClientValidation();%>
Line 36: <% using (Html.BeginForm()) {%>
Line 37: <%= Html.AntiForgeryToken() %>
Line 38:
Line 39: <%= Html.ValidationSummary("Error Summary:", new { @class = "TextArial10B" })%> Source File: c:\inetpub\ForumsMVC\forums\Views\About\Edit.aspx Line:
37
I'm not having much luck on the MVC 3 ugrade. On pages that have controller actions for both get and post I'm receiving errors on the Get related to antiforgery.
This is a different issue. After upgrading your site, please close all
open browser instances to clear your session cookies. This should remove the old anti forgery token cookie, so the next time you generate the form it will create a new valid cookie. We have an active work item to handle this condition better (without forcing
you to restart your browser) and plan on getting it in shortly.
Marked as answer by ricka6 on Nov 12, 2010 10:17 PM
kahlua001us
Member
16 Points
43 Posts
MVC3 RC & ValidateInput
Nov 09, 2010 11:24 PM|LINK
Hi,
I installed MVC 3 RC, was using MVC 3 Beta before. On controller actions that have the ValidateInput(false) attribute now break, meaning that I get a potentially dangerous input error message when submitting HTML tags. I've been reading about the SkipRequestVerification attribute, but that applies to model attributes. In my situation, various actions will use the same generic model so I can't apply it on the model itself but rather on the action as some will allow html tags and some will not. Also, my model is in another assembly so am I to assume that this assembly which holds nothing but linq to sql models, should reference System.Web.Mvc just for this attribute?? Is there any way to disable this SkipRequestVerification processing? Or does anyone know why suddenly ValidateInput stopped working?
Thanks
kahlua001us
Member
16 Points
43 Posts
Re: MVC3 RC & ValidateInput
Nov 10, 2010 04:56 AM|LINK
So I created a blank MVC 3 RC site. I discovered that an action method that has FormCollection as a parameter will result in a potentially dangerous input error even with ValidateInput(false). But an empty method signature does not cause an error.
"<html></html>" is submitted in both cases below.
--This does not cause an error
[ValidateInput(false)]
public ActionResult Test()
{
return View("~/Views/Home/About.cshtml");
}
--This causes error
[ValidateInput(false)]
public ActionResult Test(FormCollection Values)
{
return View("~/Views/Home/About.cshtml");
}
Does anyone know why this is in RC and how to resolve this?
marcind
Contributor
3344 Points
609 Posts
Microsoft
Re: MVC3 RC & ValidateInput
Nov 10, 2010 07:11 AM|LINK
We've made some under-the-covers changes to how request validation works. The short of it is that in the past any input submitted to your application caused a validation error, even if your application did not actually ever look at that input. In MVC 3 we've made it so that in certain scenarios (for example model-binding to models using SkipRequestValidation) request validation is performed on-demand or does not happen at all. However, not all scenarios currently support this and binding to a FormCollection falls into that category. We will consider improving this scenario, though no promises right now.
Regarding why your ValidateInput(false) attribute has no effect, this is related to the fact that request validation got moved to a different point in the ASP.NET processing pipeline in .NET 4 and this attribute will not work in this particular scenario unless you specify 2.0-mode request validation.
ASP.NET Team
@marcind
Blog
hjf1223
Member
112 Points
56 Posts
Re: MVC3 RC & ValidateInput
Nov 10, 2010 09:06 AM|LINK
I want to upgrade MVC2 to mvc3. But this problem breaked me..
I have already add:
this works in MVC2, but breaking in MVC3. Temporarily give up.
levib
Star
7702 Points
1099 Posts
Microsoft
Re: MVC3 RC & ValidateInput
Nov 10, 2010 11:34 PM|LINK
Please post a stack trace of the exception along with the controller code that's causing the exception. That would help us determine what changes we would need to make to our request validation implementation to make this scenario start working again.
Thanks!
hjf1223
Member
112 Points
56 Posts
Re: MVC3 RC & ValidateInput
Nov 11, 2010 12:12 AM|LINK
The conroller is:
The web.config:
<pages validateRequest="false"> <namespaces> <add namespace="System.Web.Helpers" /> <add namespace="System.Web.Mvc" /> <add namespace="System.Web.Mvc.Ajax" /> <add namespace="System.Web.Mvc.Html" /> <add namespace="System.Web.Routing" /> <add namespace="System.Web.WebPages"/> </namespaces> </pages> <httpRuntime requestValidationMode="2.0" />The exception:
levib
Star
7702 Points
1099 Posts
Microsoft
Re: MVC3 RC & ValidateInput
Nov 11, 2010 12:20 AM|LINK
Thanks for the sample. We're seeing what we can do about this for the next release. You should be able to work around it in the meantime by changing your controller code to the following:
[HttpPost] [ValidateInput(false)] public ActionResult LogOn(LogOnModel model, string returnUrl) { FormCollection form = new FormCollection(Request.Unvalidated().Form); \\ ... }The Request.Unvalidated() extension method is located in the System.Web.Helpers namespace.
hjf1223
Member
112 Points
56 Posts
Re: MVC3 RC & ValidateInput
Nov 11, 2010 02:21 AM|LINK
Looking forward the new version!
JoeReynolds
Participant
871 Points
313 Posts
Re: MVC3 RC & ValidateInput
Nov 12, 2010 08:02 PM|LINK
I'm not having much luck on the MVC 3 ugrade. On pages that have controller actions for both get and post I'm receiving errors on the Get related to antiforgery.
Exception Details: System.ArgumentNullException: Buffer cannot be null.
Line 35: <% Html.EnableClientValidation();%>
Line 36: <% using (Html.BeginForm()) {%>
Line 37: <%= Html.AntiForgeryToken() %>
Line 38:
Line 39: <%= Html.ValidationSummary("Error Summary:", new { @class = "TextArial10B" })%>
Source File: c:\inetpub\ForumsMVC\forums\Views\About\Edit.aspx Line: 37
Stack Trace:
levib
Star
7702 Points
1099 Posts
Microsoft
Re: MVC3 RC & ValidateInput
Nov 12, 2010 08:14 PM|LINK
This is a different issue. After upgrading your site, please close all open browser instances to clear your session cookies. This should remove the old anti forgery token cookie, so the next time you generate the form it will create a new valid cookie. We have an active work item to handle this condition better (without forcing you to restart your browser) and plan on getting it in shortly.