ASP.NET MVC ValidateInput(false) stops working with xVal and [RegularExpression] DataAnnotation
Asked Answered
D

6

20

I would like to intercept the "<" character in the form field by a regex validator. I will describe the problem in 3 steps:

Step 1: When I try to submit a form with a field containing the "<" character, I get the "Potentially dangerous request..." - as expected in ASP.NET.

Step 2: To avoid ASP.NET's RequestValidation, I decorate my Update method in the controller with "[ValidateInput(false)]".

It works as expected - now I can post "<" character without error.

Step 3: I use xVal with DataAnnotations. For example, [Required] or [StringLength(255)] works as expected.

BUT when I use: [RegularExpression("^[^<>]*$", ErrorMessage = "Special characters are not allowed.")], I get the "Potentially dangeros request..." error again, despite the [ValidateInput(false)] directive.

What's happening? Is there a simpler way for regex validaton, but with [ValidateInput(false)] in place? Of course, I'd like to have my validation code in the model, not in the controller.

Disencumber answered 24/6, 2009 at 12:38 Comment(2)
Given that the SO Community bot has pushed this to the top, can you confirm whether or not this is still an issue?Belsen
No, it was an inssue in MVC 1 + xVal. In MVC 2 the validation works as supposed (and there's no need for xVal anymore).Disencumber
P
0

No, it was an issue in MVC 1 + xVal. In MVC 2 the validation works as supposed (and there's no need for xVal anymore) – Alex42

Looks like the bot keeps on pushing this one to the top still. Could you mark an answer as accepted so that it knows?

Paracasein answered 7/1, 2011 at 0:1 Comment(0)
K
0

I'm using xVal & nhibernate.validator and i tried to reproduce this behavior but because the validator is tied into the client side I couldn't get a value of past the client side validation. when i disabled javascript, it got to the server side validation, and was caught by the regular expression validator.

I tried the same thing with using the data annotations validation attributes and model binder and it made it past as well.

there must be something else going on that is causing the error. Sorry I couldn't be more helpful!

Keratosis answered 30/7, 2009 at 13:39 Comment(0)
R
0

Try validating using a simple rule with this method. This can at least eliminate xVal from the equation. If the problem persists then i'd suggest it's related to either:

  • the implementation of MVC's default Model Binder
  • or there is a problem with the MVC view engine in the release your using that's somehow allowing an exception to be made for the attribute you specified by validating the < when it shoudn't be
Reeves answered 25/11, 2009 at 6:19 Comment(0)
N
0

if it just a field, you could just write a routine to look for a character '< or >' and remove it. you can achieve this by by making use of substring. hope this this helps

  • use For loop to length of text to be tested (for (int i=1, i <= text.length, ++))
  • verify each character begining 1 (e.g ch = text.substring(i,1)
  • add each read character to tmp string except '< or >'
Neogene answered 20/11, 2010 at 19:28 Comment(0)
M
0

I suppose the static method Escape() would solve this for you.

  Regex r = new Regex(Regex.Escape(expression));
Mohammadmohammed answered 23/11, 2010 at 13:28 Comment(0)
H
0

Put this line in web.config

<httpRuntime requestValidationMode="2.0" />

This is change in ASPNET 4.0

Heart answered 10/12, 2010 at 9:44 Comment(0)
P
0

No, it was an issue in MVC 1 + xVal. In MVC 2 the validation works as supposed (and there's no need for xVal anymore) – Alex42

Looks like the bot keeps on pushing this one to the top still. Could you mark an answer as accepted so that it knows?

Paracasein answered 7/1, 2011 at 0:1 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.