views:

1100

answers:

3

I would like to intercept the "<" character in the form field by a regex validator. I will describe the problem in 3 steps:

Step 1: When I try to submit a form with a field containing the "<" character, I get the "Potentially dangerous request..." - as expected in ASP.NET.

Step 2: To avoid ASP.NET's RequestValidation, I decorate my Update method in the controller with "[ValidateInput(false)]".

It works as expected - now I can post "<" character without error.

Step 3: I use xVal with DataAnnotations. For example, [Required] or [StringLength(255)] works as expected.

BUT when I use: [RegularExpression("^[^<>]*$", ErrorMessage = "Special characters are not allowed.")], I get the "Potentially dangeros request..." error again, despite the [ValidateInput(false)] directive.

What's happening? Is there a simpler way for regex validaton, but with [ValidateInput(false)] in place? Of course, I'd like to have my validation code in the model, not in the controller.

A: 

I'm using xVal & nhibernate.validator and i tried to reproduce this behavior but because the validator is tied into the client side I couldn't get a value of past the client side validation. when i disabled javascript, it got to the server side validation, and was caught by the regular expression validator.

I tried the same thing with using the data annotations validation attributes and model binder and it made it past as well.

there must be something else going on that is causing the error. Sorry I couldn't be more helpful!

Patricia
A: 

I'm running the same issues... Disabling XVal.Rules allows unencoded html, but no way to bypass the validation if enabled.

Anyone gad chances to figure this dilemma out?

plastical
A: 

Try validating using a simple rule with this method. This can at least eliminate xVal from the equation. If the problem persists then i'd suggest it's related to either:

  • the implementation of MVC's default Model Binder
  • or there is a problem with the MVC view engine in the release your using that's somehow allowing an exception to be made for the attribute you specified by validating the < when it shoudn't be
cottsak