6

When I put in HTML characters in my form, such as <br />, ASP.NET throws an internal 500 exception as described here.

A potentially dangerous Request.Form value was detected from the client (Name="<br />").

Ok, so it's protecting me from unencoded characters that could be used for malicious reasons.

The problem is, and this is answered nowhere in my long search, is what to do about it. I.e. my application shouldn't just be throwing a generic internal server error when a user inputs bad characters (what if they're drawing an arrow such as <--).

What would be better is to simply return to the page with a ModelState error that says "Please don't use HTML characters" or something meaningful.

But how is this to be achieved? The error is thrown way before it gets to my code. Also, I don't want to just turn it off via validateRequest="false" and then have to validate every single form in my application for HTML characters and return an error.

Is there a way to leave this type of validation enabled but just handle it differently?

Code for clarification:

Model

Public Class SomeModel
    Public Property SomeField As String
End Class

Controller

<HttpPost>
Function SomeController(ByVal model As SomeModel)
    ' model.SomeField contains some HTML characters :O
    ' but it doesn't matter, since an internal error has occured :(
End Function
Community
  • 1
  • 1
Rowan Freeman
  • 15,724
  • 11
  • 69
  • 100

4 Answers4

3

Have you tried adding the AllowHtml attribute to the property of your viewmodel?

Pablo Romeo
  • 11,298
  • 2
  • 30
  • 58
  • Yeah, and that works, but people say that you must then validate everything yourself. If the only alternative is using everywhere then why does ASP.NET validate anything in the first place? My main question is why, and what's the best (standard) way to resolve this? – Rowan Freeman Mar 12 '13 at 05:05
  • 1
    I see. However, you probably shouldn't be using the AllowHtml attribute all over the place. Only in the properties that could potentially contain html. Well, if you want to just handle the error differently, you can add a HandleError action filter and specify the exception to be System.Web.HttpRequestValidationException. That should let you customize how the error is handled. If you want to actually change the way that internal validation is done, you may have to extend the default model binder. – Pablo Romeo Mar 12 '13 at 05:30
2

It is definitely possible to show your own error page with whatever message you see fit.
You use customError pages for this.

You can configure these error pages to be shown for the appropriate error code.

<configuration>
   <system.web>
      <customErrors mode="RemoteOnly" redirectMode="ResponseRewrite" 
                    defaultRedirect="GenericError.htm">
         <error statusCode="500" redirect="InternalError.aspx"/>
      </customErrors>
   </system.web>
</configuration>

Displaying a Custom Error Page

On your error page you can detect the last error with Server.GetLastError() and use it show an appropriate message, if you want this case of html data to be handled differently.

nunespascal
  • 17,584
  • 2
  • 43
  • 46
  • Ideally I'd want to return to the same page (form), rather than an entirely different page with a generic "HTML characters detected". Is this possible? – Rowan Freeman Mar 12 '13 at 05:29
  • The `redirectMode="ResponseRewrite"` keeps the url the same. If the user were to submit without sending the faulty data the proper page would open – nunespascal Mar 12 '13 at 05:40
1

It sounds like what you want is to have it turned off globally.

Your concern of having to validate every single input in your application is less of a problem than it used to be with both razor and the <%: %> asp.net web pages syntax automatically HTML encoding output. The only fields of your application that you would need to manually validate to make sure that they didn't contain HTML would be fields that get displayed as un-encoded raw text.

RyanHerbert
  • 88
  • 1
  • 6
  • Yeah, agreed. I noticed that everything is very safe, so why does ASP.NET throw this error in the first place? Try this: Go to any MVC web application that you can think of, go to a form (such as login) and enter
    in a field and submit. If you get an error then those web admins haven't accounted for this either :P     – Rowan Freeman Mar 12 '13 at 21:38
0

To allow restricted input in the model use the AllowHtmlAttribute on the model property. That's the first step.

Then create a custom validator or use the RegularExpressionAttribute to validate the input to your spec.

Or, if want to allow the user to input restricted characters use HttpUtility.HtmlEncode to encode the value .

traceagent
  • 61
  • 1
  • Ideally I'd want to return to the same page (form) with an added ModelState.Error. But that means applying to every field and then using validation on every field (i.e. a validation attribute). What a headache :( I guess there is no quick fix for this. – Rowan Freeman Mar 12 '13 at 05:30