4

I've been searching all day and I'm pretty confused about preventing script from being submitted in my MVC application. Most of what I am finding is telling me how to disable request validation, which is not what I want.

In the web.config in the Views folder it states

Enabling request validation in view pages would cause validation to occur after the input has already been processed by the controller. By default MVC performs request validation before a controller processes the input. To change this behaviour apply the ValidateInputAttribute to a controller or action.

That makes it sound like my MVC app should throw the 'potentially dangerous Request.Form value was detected' error when I attempt to submit script tags, but I am still able to submit something like:

</input><script>alert("hello world");</script>

And when I load the page the script has been added to I get a JS alert box.

Why am I able to submit potentially dangerous script? What am I missing?

killerbunnyattack
  • 274
  • 4
  • 14
  • 1
    In a default MVC4 application, request validation is enabled and you should not be able to submit a script tag as POST data, but you're saying you can? Have you modified the application in any way? Is it a fresh MVC4 application? Is the request definitely a POST (and is the action marked as such?) – Rowan Freeman Mar 11 '14 at 00:19
  • It is not a fresh application. There are lots of changes/modifications and most submission are via jQuery 'POST' ajax methods. The last controller method I experimented with has the [HttpPost] attribute. – killerbunnyattack Mar 11 '14 at 17:39

0 Answers0