2

I have enabled OutputCache, and are using the following attributes:

[OutputCache]
[ValidateInput(false)]

But I'm getting the following error:

[HttpRequestValidationException (0x80004005): A potentially dangerous Request.QueryString value was detected from the client (pool="lger<br />/for...").]
System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +11933898
System.Web.HttpValueCollection.EnsureKeyValidated(String key) +11932776 System.Web.HttpValueCollection.Get(String name) +23 System.Web.Caching.OutputCacheModule.CreateOutputCachedItemKey(String path, HttpVerb verb, HttpContext context, CachedVary cachedVary) +880 System.Web.Caching.OutputCacheModule.OnLeave(Object source, EventArgs eventArgs) +803
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +142 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +92

Why is this happening? I don't get why the OutputCachedItemKey needs to validated? Any way how to disable this?

Note that it only goes wrong with enabling the OutputCache.

Without everything works fine.

Update It seems really easy reproduciable:

  1. Start new ASP.NET Project with ASP.NET MVC template (4.5.2)
  2. Add [OutputCache( Duration = 1)]
  3. run http://localhost:(port)/?test=%3Cscript%3E

Result: Potentially dangerous request, despite that you do anything with this parameter.

Dirk Boer
  • 8,522
  • 13
  • 63
  • 111

3 Answers3

0

The issue happens because the client passed in pool="lger<br /> to the Query String. Notice the HTML character <br />, this can be considered an XSS attack and the framework handles this for you by default.

You want to keep this security enabled, imagine if the client passed up 

"<script type='javascript'>//Nasty code</script>"

As part of the query string, it could be reflected or persisted to the users of your system.

You can also add the MVC attribute AllowHtml.

public class Model
{
   [AllowHtml]
   public string Pool { get; set; }
}

However, if you really want to disable Request Validation (Not recommended) then you can do so via the web.config

<system.web>
  <httpRuntime requestValidationMode="2.0" />
</system.web>
Darren
  • 68,902
  • 24
  • 138
  • 144
  • the `[AllowHtml]` usually goes on modal properties not on controllers. _Allows a request to include HTML markup during model binding by skipping request validation for the property._ – zgood Mar 25 '16 at 17:21
  • Hi @DarrenDavies, thanks for your quick answer. The thing is my action is working fine (I'm not reading the value). It's the OutputCache that doesn't seem to be able to handle it - see the StackTrace. – Dirk Boer Mar 25 '16 at 17:31
  • @DirkBoer - I've read it and it looks like it throws at this point `System.Web.HttpRequest.ValidateString` not at the OutputCache level. – Darren Mar 25 '16 at 17:33
  • Yes, that's correct. But it looks like that ValidateString is being by the OutputCacheModule (through Get and EnsureKeyValidated) – Dirk Boer Mar 25 '16 at 17:35
0

It looks like you need to be using the [AllowHtml] attribute.

See here for reference.

By default, the ASP.NET MVC framework checks requests during model binding to determine whether they contain potentially dangerous content as HTML markup. If HTML is detected, model binding throws an error. If a property is marked with the AllowHtmlAttribute attribute, the ASP.NET MVC framework skips validation for that property during model binding.

zgood
  • 12,181
  • 2
  • 25
  • 26
  • Hi @zgood, thanks for your quick answer. The thing is my action is working fine (I'm not reading the value). It's the OutputCache that doesn't seem to be able to handle it - see the included StackTrace. – Dirk Boer Mar 25 '16 at 17:33
0

The reason for the error is that OutputCachedItemKey tries to create a unique identifier for the request which includes parameter information. Doing this calls ValidateString which leads to the exception for values that are considered dangerous.

That said, I don't have a real solution either. However, if the goal is to disable caching for the action entirely this attribute should work

[OutputCache(Duration = 0, VaryByContentEncoding = null, VaryByCustom = null, VaryByHeader = null, VaryByParam = null)]

Paul B.
  • 2,394
  • 27
  • 47