Ayende @ Rahien

Hi!
My name is Ayende Rahien
Founder of Hibernating Rhinos LTD and RavenDB.
You can reach me by phone or email:

ayende@ayende.com

+972 52-548-6969

@

Posts: 5,947 | Comments: 44,540

filter by tags archive

Comments

Jeff

This is pretty common error(?) you get when you try to POST any data with ASP.NET MVC via Ajax. Pretty easy to fix with [ValidateInput(false)]...Its annoying as hell because if you have a say a "home" page with many partials from many controllers, you need to add to EVERY controller...blargh!

Jeff

err, any POST data with HTML or HTML-like characters.

Robert

A handy trick if you want to pass html-like characters in a field without disabling validation outright is to put two underscores in front of the fields name which will let that field through, ie: name=" __html"

Dmitriy Nagirnyak

@Jeff, you can inherit from BaseController and set its "ValidateRequest = false" in its constructor (or wherever) only once.

I never liked the attributes :)

Stephen

One of many reasons I really don't like the ASP.NET stack more and more, its so general purpose and if anything aimed at the casual developers its sickening that in order to get it close to what you want you have to go and do more work (often runtime work) to turn OFF all the useless crap thats turned on by default..

This is why I don't think conventions are great in library code, just WHO are you targeting and why not just have sample code/templates to define conventions.

Conventions should exist in the 'implementation' (the app) not its frameworks, if you DO put a convention in your framework then you best seriously think about how you design it for pluggability.

tobi

for security purposes this is worthless as there are many known ways around this protection. you just have to encode the characters differently. if anyone wants to hack your site he still can do it with standard techniques. only people not wanting to hack the site are suffering.

a better solution would have been to make the <%= %> syntax html-encode by default which anyway is what you want most of the time.

tobi

this blog has removed my html: < % = % >. thats exactly as wrong as asp.net filtering. why not just encode html chars and allow them? this is guaranteed to be safe while filtering is not and provides a less good user experience.

tobi

just one more thing: this is not safe by default, because there are easy ways around it. html-encoding all user input by default would be safe by default. oh you just cannot let people make security descisions. they get it wrong all the time. it is like the windows lan manager storing hashed passwords in two halfes instead of one whole. anyone who does not understand the problem with that should not design an authentication system at all.

Chris

That annoys the hell out of me. Ironically our production app has an issue with this exception, even though we've turned it off at the web.config level and in our BaseController. It occurs about once a week and we can't locate the data that is causing it.

Jeff

@Dmtriy - doh, so obvious! Thanks!

Duckie

Chris: Cant you just log the error and fix it :-)?

Anyways, you just need a [ValidateInput(false)] on the action, asp.net mvc doesnt seem to care about the setting in web.config.

Chris

@Duckie: Our app is on the large size. We have about 60 controllers with over 600 actions. I'd rather have something in the controller infrastructure than decorating everything with that.

Comment preview

Comments have been closed on this topic.

FUTURE POSTS

No future posts left, oh my!

RECENT SERIES

  1. RavenDB Sharding (2):
    21 May 2015 - Adding a new shard to an existing cluster, the easy way
  2. The RavenDB Comic Strip (2):
    20 May 2015 - Part II – a team in trouble!
  3. Challenge (45):
    28 Apr 2015 - What is the meaning of this change?
  4. Interview question (2):
    30 Mar 2015 - fix the index
  5. Excerpts from the RavenDB Performance team report (20):
    20 Feb 2015 - Optimizing Compare – The circle of life (a post-mortem)
View all series

RECENT COMMENTS

Syndication

Main feed Feed Stats
Comments feed   Comments Feed Stats