MVC 4 - Razor - "a potentially dangerous request.form value was detected from the client"

Asked 25/4, 2012 at 18:52 Answered 4/10, 2018 at 8:4

I have an i-Frame on my view that links to an external site. This site takes in some values and some config settings. As part of these config settings is a "CallBackURL". This external website posts to this CallBackUrl.

I specified the CallBackURL to be an action on my control.

View Code

<form id="testForm" method="post" target="testFrame">
  <input type="hidden" name="RequestXML" ID="RequestXML" value="<Request><RedirectURL>Account/TokenRequest</RedirectURL></Request>"
</form>

<iframe id="testFrame" name="testFrame" frameborder="0" style="width:1000px;height:500px"></iframe>

Controller Code

  [HttpPost]
  [ValidateInput(false)]
  public ActionResult TokenRequest()
  {
    if (Request.Form["ResponseXML"] != null)
      ViewBag.ResponseXML = Request.Form["ResponseXML"];

    return PartialView();
  }

inside my controller action I get the following error:"a potentially dangerous request.form value was detected from the client"

I also set this in the webconfig

<httpRuntime requestValidationMode="2.0" />
<pages validateRequest="false"...

What am I doing wrong?

EDIT I was editing the wrong web.config file. I was adding it to the web.config inside the views folder. Once I changed it to the right place it started working.

Anarchy answered 25/4, 2012 at 18:52 Comment(2)

It's probably the antixsser catching the angle brackets. Try to Server.HTMLEncode the Request.Form statement. – Omega 25/4, 2012 at 18:54

I tried that, it does not work. I still get this error: A potentially dangerous Request.Form value was detected from the client(ResponseXML="<Response><Cl...") – Anarchy 25/4, 2012 at 19:1

The above solution was not working for me in MVC4. What works for me is only to put an attribute above the action. No need to change your web.config or add AllowHtml attribute.

[HttpPost]
[ValidateInput(false)]
public ActionResult TokenRequest(TokenRequestModel model)
{
  if (!string.IsNullOrEmpty(model.ResponseXML))
  ViewBag.ResponseXML = model.ResponseXML;
  // ...

Chrissychrist answered 3/8, 2012 at 9:4 Comment(1)

This worked for me, but I'm using parameterized sql sprocs for passing the data to the database, so I'm not worried about sql injection etc.; however, I guess you'd just want to warn users that they need to provide their own validation implementation...again not a concern with my intranet application and limited user group. – Lakendra 15/7, 2015 at 17:7

Try using a model instead of just using html control direct. and also use the AllowHtml Attribute.

Model:

public TokenRequestModel
{
   [AllowHtml]
   public string ResponseXML {get;set;}
}

Action:

[HttpPost]
public ActionResult TokenRequest(TokenRequestModel model)
{
  if (!string.IsNullOrEmpty(model.ResponseXML))
      ViewBag.ResponseXML = model.ResponseXML;

  return PartialView();
}

Hubbub answered 9/5, 2012 at 10:15 Comment(1)

Elegant solution, worked in MVC4. Added [AllowHtml] to the C# property that matches the @Html.TextAreaFor() in the View. All HTML angle brackets typed into this field now load and save correctly. – Vuong 20/5, 2016 at 14:13

You can try

  [HttpPost]
  public ActionResult TokenRequest()
  {
    if (Request.Unvalidated().Form["ResponseXML"] != null)
      ViewBag.ResponseXML = Request.Unvalidated().Form["ResponseXML"];

    return PartialView();
  }

I think the Unvalidated() will make the error go away without the need to edit webconfig

Bedaub answered 12/6, 2013 at 9:20 Comment(0)

I tried this and worked for me:

on form submit call a javascript function that saves in an hiddenfield the value encoded using 'encodeURIComponent'.

Then in the same function clear the value of the textbox with the dangerous value. In this way the form will submit just the encoded value.

<input type="submit" value="Save" class="btn btn-danger" onclick="encodeLabel1()" />

<script>
function encodeLabel1() {
            var label = $('#txt').val();
            $('#hfLabel1Encoded').val(encodeURIComponent(label));
            $('#txt').val('');
        }
 </script>

This is a workaround but it works and the validation is still active.

Revolute answered 4/10, 2018 at 8:4 Comment(0)

Recommended topics

Hot tags