2

In my ASP.NET MVC 5 app, I'm reading some data from a form then making a jQuery ajax call to an action method in the backend to save it into my database.

In the form, if I enter some text with HTML tags in it, I'm getting an error because of the HTML tags. I'm getting the standard "...potentially dangerous..." error.

I'm sanitizing the data in the back end using GetSafeHtmlFragment() but the error is generated as soon as the data reaches my action method.

What is the correct way to send data to my action method from a client-side script e.g. jquery ajax call? Do I first HTML encode the data in my, say JS event handler, then send it to my action method?

Sam
  • 19,814
  • 35
  • 141
  • 272
  • 1
    This should answer your question: http://stackoverflow.com/questions/81991/a-potentially-dangerous-request-form-value-was-detected-from-the-client – Papa Jun 18 '14 at 00:37

1 Answers1

1

It does not matter whether it is a client side script (XHR) or a direct HTTP request, The ASP.Net runtime blocks the request using Request Validation.

Well, in MVC this happens before you reach the GetSafeHtmlFragment() in your Action method. What you need to do is turn off Request Validation for the action method that is expecting data with markup.

You have fine-grained control over how you want to turn off the Request Validation.

  1. If you have a Model class where your mark up data is a property - use the [AllowHtml] attribute to decorate that Model's property, so the request validation would not be applied for that property

  2. If you want to turn off request validation for the Action method or for the Entire Controller use [ValidateInput(false)] for the Action method or the Controller itself.

Without a stack trace or more detail, that is the best answer I could come up with. Turning off request validation is not bad as long as you understand that you are allowing markups (including the potentially dangerous ones) as your data.

Since you already have GetSafeHtmlFragment(), turn off Request Validation for the particular property, or for the Action method. And w.r.t to Microsoft's Antixss library as a sanitizer, couple of things you should be aware of are below:

gmaran23
  • 1,898
  • 2
  • 15
  • 18