Oren Eini

aka Ayende Rahien

Oren Eini

CEO of RavenDB

a NoSQL Open Source Document Database

Get in touch with me:

oren@ravendb.net +972 52-548-6969

Posts: 7,575
|
Comments: 51,188

Copyright ©️ Ayende Rahien 2004 — 2025

Privacy Policy · Terms
filter by tags archive
stack view grid view
  • architecture (606) rss
  • bugs (450) rss
  • challanges (123) rss
  • community (377) rss
  • databases (481) rss
  • design (893) rss
  • development (640) rss
  • hibernating-practices (71) rss
  • miscellaneous (592) rss
  • performance (397) rss
  • programming (1085) rss
  • raven (1442) rss
  • ravendb.net (526) rss
  • reviews (184) rss
  • 2025
    • May (7)
    • April (10)
    • March (10)
    • February (7)
    • January (12)
  • 2024
    • December (3)
    • November (2)
    • October (1)
    • September (3)
    • August (5)
    • July (10)
    • June (4)
    • May (6)
    • April (2)
    • March (8)
    • February (2)
    • January (14)
  • 2023
    • December (4)
    • October (4)
    • September (6)
    • August (12)
    • July (5)
    • June (15)
    • May (3)
    • April (11)
    • March (5)
    • February (5)
    • January (8)
  • 2022
    • December (5)
    • November (7)
    • October (7)
    • September (9)
    • August (10)
    • July (15)
    • June (12)
    • May (9)
    • April (14)
    • March (15)
    • February (13)
    • January (16)
  • 2021
    • December (23)
    • November (20)
    • October (16)
    • September (6)
    • August (16)
    • July (11)
    • June (16)
    • May (4)
    • April (10)
    • March (11)
    • February (15)
    • January (14)
  • 2020
    • December (10)
    • November (13)
    • October (15)
    • September (6)
    • August (9)
    • July (9)
    • June (17)
    • May (15)
    • April (14)
    • March (21)
    • February (16)
    • January (13)
  • 2019
    • December (17)
    • November (14)
    • October (16)
    • September (10)
    • August (8)
    • July (16)
    • June (11)
    • May (13)
    • April (18)
    • March (12)
    • February (19)
    • January (23)
  • 2018
    • December (15)
    • November (14)
    • October (19)
    • September (18)
    • August (23)
    • July (20)
    • June (20)
    • May (23)
    • April (15)
    • March (23)
    • February (19)
    • January (23)
  • 2017
    • December (21)
    • November (24)
    • October (22)
    • September (21)
    • August (23)
    • July (21)
    • June (24)
    • May (21)
    • April (21)
    • March (23)
    • February (20)
    • January (23)
  • 2016
    • December (17)
    • November (18)
    • October (22)
    • September (18)
    • August (23)
    • July (22)
    • June (17)
    • May (24)
    • April (16)
    • March (16)
    • February (21)
    • January (21)
  • 2015
    • December (5)
    • November (10)
    • October (9)
    • September (17)
    • August (20)
    • July (17)
    • June (4)
    • May (12)
    • April (9)
    • March (8)
    • February (25)
    • January (17)
  • 2014
    • December (22)
    • November (19)
    • October (21)
    • September (37)
    • August (24)
    • July (23)
    • June (13)
    • May (19)
    • April (24)
    • March (23)
    • February (21)
    • January (24)
  • 2013
    • December (23)
    • November (29)
    • October (27)
    • September (26)
    • August (24)
    • July (24)
    • June (23)
    • May (25)
    • April (26)
    • March (24)
    • February (24)
    • January (21)
  • 2012
    • December (19)
    • November (22)
    • October (27)
    • September (24)
    • August (30)
    • July (23)
    • June (25)
    • May (23)
    • April (25)
    • March (25)
    • February (28)
    • January (24)
  • 2011
    • December (17)
    • November (14)
    • October (24)
    • September (28)
    • August (27)
    • July (30)
    • June (19)
    • May (16)
    • April (30)
    • March (23)
    • February (11)
    • January (26)
  • 2010
    • December (29)
    • November (28)
    • October (35)
    • September (33)
    • August (44)
    • July (17)
    • June (20)
    • May (53)
    • April (29)
    • March (35)
    • February (33)
    • January (36)
  • 2009
    • December (37)
    • November (35)
    • October (53)
    • September (60)
    • August (66)
    • July (29)
    • June (24)
    • May (52)
    • April (63)
    • March (35)
    • February (53)
    • January (50)
  • 2008
    • December (58)
    • November (65)
    • October (46)
    • September (48)
    • August (96)
    • July (87)
    • June (45)
    • May (51)
    • April (52)
    • March (70)
    • February (43)
    • January (49)
  • 2007
    • December (100)
    • November (52)
    • October (109)
    • September (68)
    • August (80)
    • July (56)
    • June (150)
    • May (115)
    • April (73)
    • March (124)
    • February (102)
    • January (68)
  • 2006
    • December (95)
    • November (53)
    • October (120)
    • September (57)
    • August (88)
    • July (54)
    • June (103)
    • May (89)
    • April (84)
    • March (143)
    • February (78)
    • January (64)
  • 2005
    • December (70)
    • November (97)
    • October (91)
    • September (61)
    • August (74)
    • July (92)
    • June (100)
    • May (53)
    • April (42)
    • March (41)
    • February (84)
    • January (31)
  • 2004
    • December (49)
    • November (26)
    • October (26)
    • September (6)
    • April (10)
Deep Dive into RavenDB webinars
  previous post next post  
Sep 17 2009

Safe by default is also annoying by default

time to read 1 min | 53 words

This was the cause of a NH Prof not being able to report some errors home.

image

I follow the logic, I agree with the logic, but I still goes ARGH!!!

Tweet Share Share 13 comments
Tags:
  • Bugs

  previous post next post  

Comments

Phillip Haydon
17 Sep 2009
01:18 AM
Phillip Haydon

Lol. Fun times.

Jeff
17 Sep 2009
04:30 AM
Jeff

This is pretty common error(?) you get when you try to POST any data with ASP.NET MVC via Ajax. Pretty easy to fix with [ValidateInput(false)]...Its annoying as hell because if you have a say a "home" page with many partials from many controllers, you need to add to EVERY controller...blargh!

Jeff
17 Sep 2009
05:48 AM
Jeff

err, any POST data with HTML or HTML-like characters.

Robert
17 Sep 2009
07:11 AM
Robert

A handy trick if you want to pass html-like characters in a field without disabling validation outright is to put two underscores in front of the fields name which will let that field through, ie: name=" __html"

Dmitriy Nagirnyak
17 Sep 2009
07:29 AM
Dmitriy Nagirnyak

@Jeff, you can inherit from BaseController and set its "ValidateRequest = false" in its constructor (or wherever) only once.

I never liked the attributes :)

Stephen
17 Sep 2009
09:10 AM
Stephen

One of many reasons I really don't like the ASP.NET stack more and more, its so general purpose and if anything aimed at the casual developers its sickening that in order to get it close to what you want you have to go and do more work (often runtime work) to turn OFF all the useless crap thats turned on by default..

This is why I don't think conventions are great in library code, just WHO are you targeting and why not just have sample code/templates to define conventions.

Conventions should exist in the 'implementation' (the app) not its frameworks, if you DO put a convention in your framework then you best seriously think about how you design it for pluggability.

tobi
17 Sep 2009
10:35 AM
tobi

for security purposes this is worthless as there are many known ways around this protection. you just have to encode the characters differently. if anyone wants to hack your site he still can do it with standard techniques. only people not wanting to hack the site are suffering.

a better solution would have been to make the <%= %> syntax html-encode by default which anyway is what you want most of the time.

tobi
17 Sep 2009
10:36 AM
tobi

this blog has removed my html: < % = % >. thats exactly as wrong as asp.net filtering. why not just encode html chars and allow them? this is guaranteed to be safe while filtering is not and provides a less good user experience.

tobi
17 Sep 2009
10:44 AM
tobi

just one more thing: this is not safe by default, because there are easy ways around it. html-encoding all user input by default would be safe by default. oh you just cannot let people make security descisions. they get it wrong all the time. it is like the windows lan manager storing hashed passwords in two halfes instead of one whole. anyone who does not understand the problem with that should not design an authentication system at all.

Chris
17 Sep 2009
10:52 AM
Chris

That annoys the hell out of me. Ironically our production app has an issue with this exception, even though we've turned it off at the web.config level and in our BaseController. It occurs about once a week and we can't locate the data that is causing it.

Jeff
17 Sep 2009
20:46 PM
Jeff

@Dmtriy - doh, so obvious! Thanks!

Duckie
18 Sep 2009
13:04 PM
Duckie

Chris: Cant you just log the error and fix it :-)?

Anyways, you just need a [ValidateInput(false)] on the action, asp.net mvc doesnt seem to care about the setting in web.config.

Chris
18 Sep 2009
21:18 PM
Chris

@Duckie: Our app is on the large size. We have about 60 controllers with over 600 actions. I'd rather have something in the controller infrastructure than decorating everything with that.

Comment preview

Comments have been closed on this topic.

Markdown formatting

ESC to close

Markdown turns plain text formatting into fancy HTML formatting.

Phrase Emphasis

*italic*   **bold**
_italic_   __bold__

Links

Inline:

An [example](http://url.com/ "Title")

Reference-style labels (titles are optional):

An [example][id]. Then, anywhere
else in the doc, define the link:
  [id]: http://example.com/  "Title"

Images

Inline (titles are optional):

![alt text](/path/img.jpg "Title")

Reference-style:

![alt text][id]
[id]: /url/to/img.jpg "Title"

Headers

Setext-style:

Header 1
========
Header 2
--------

atx-style (closing #'s are optional):

# Header 1 #
## Header 2 ##
###### Header 6

Lists

Ordered, without paragraphs:

1.  Foo
2.  Bar

Unordered, with paragraphs:

*   A list item.
    With multiple paragraphs.
*   Bar

You can nest them:

*   Abacus
    * answer
*   Bubbles
    1.  bunk
    2.  bupkis
        * BELITTLER
    3. burper
*   Cunning

Blockquotes

> Email-style angle brackets
> are used for blockquotes.
> > And, they can be nested.
> #### Headers in blockquotes
> 
> * You can quote a list.
> * Etc.

Horizontal Rules

Three or more dashes or asterisks:

---
* * *
- - - - 

Manual Line Breaks

End a line with two or more spaces:

Roses are red,   
Violets are blue.

Fenced Code Blocks

Code blocks delimited by 3 or more backticks or tildas:

```
This is a preformatted
code block
```

Header IDs

Set the id of headings with {#<id>} at end of heading line:

## My Heading {#myheading}

Tables

Fruit    |Color
---------|----------
Apples   |Red
Pears	 |Green
Bananas  |Yellow

Definition Lists

Term 1
: Definition 1
Term 2
: Definition 2

Footnotes

Body text with a footnote [^1]
[^1]: Footnote text here

Abbreviations

MDD <- will have title
*[MDD]: MarkdownDeep

 

FUTURE POSTS

  1. NOT Sharding RavenDB Vector Search - 4 hours from now
  2. Optimizing the cost of clearing a set - 3 days from now
  3. Scaling HNSW in RavenDB: Optimizing for inadequate hardware - 5 days from now

There are posts all the way to May 14, 2025

RECENT SERIES

  1. RavenDB News (2):
    02 May 2025 - May 2025
  2. Recording (15):
    30 Apr 2025 - Practical AI Integration with RavenDB
  3. Production Postmortem (52):
    07 Apr 2025 - The race condition in the interlock
  4. RavenDB (13):
    02 Apr 2025 - .NET Aspire integration
  5. RavenDB 7.1 (6):
    18 Mar 2025 - One IO Ring to rule them all
View all series

RECENT COMMENTS

  • But in case you have nullability checks enabled (i.e. `<Nullable>enable</Nullable>`), then you'll have a compiler warning on ...
    By Samyon Ristov on The null check that didn't check for nulls
  • Grok wasn't *wrong*. It only said that `_items` can't be null for the condition to evaluate to `true`, but didn't say anythi...
    By Johannes Egger on The null check that didn't check for nulls
  • When I started enabling NRT, I remember I was initially confused when all variables (for reference types) declared with `var`...
    By riccardo on The null check that didn't check for nulls
  • That is surprising - I think of var as a shorthand that does not affect the final result of the compilation. I wouldn't expec...
    By Chris B on The null check that didn't check for nulls
  • "It is also about as friendly as a monkey with a sore tooth and an alcohol addiction." And I have to clean my monitor.
    By Tim on When racing the Heisenbug, code quality goes out the Windows

Syndication

Main feed Feed Stats
Comments feed   Comments Feed Stats
}