tags:

views:

74

answers:

1
+1  Q: 

ASP.net MVC 2 how do I handle A potentially dangerous Request.Form value was detected from the client

I have been browsing the web and stackoverflow trying to figure out how to handle this error.

A potentially dangerous Request.Form value was detected from the client

The error occurs when a user enters in html or xml tags( < p> or < HeyImXML>) and tries to submit a form. The input is not suppose to contain any sort of markup at all, just plain text.

I am using asp.net MVC 2.0 and I'm using model binding validation as well as Html.EnableClientValidation. These work fine as long as there is no markup entered. I was wondering what is the best approach on how to avoid this error page.

My guess is to write a new validation class which checks for this kind of markup?

Clarification:

I want to catch the error in this specific instance. To clarify there is an area with a form for siteadmins that can enter markup and there is a normal users area where they can not enter markup. However this error page appears when a normal users enters markup. My question is, how do I handle this to prevent the site from crashing and showing the error page. I want to display a cleaner error without a site crash.

A: 

This was introduced early on in ASP.Net to try to help prevent script injection attacks. It isn't unique to MVC.

If you don't want this feature, you can turn it off and write your own.

To disable request validation on a page, set the validateRequest attribute of the Page directive to false:

<%@ Page validateRequest="false" %>

To disable request validation for your application, modify Web.config - set the validateRequest attribute of the <pages /> section to false:

<configuration> 
    <system.web> 
        <pages validateRequest="false" /> 
    </system.web> 
</configuration>
DOK  2010-09-20 20:12:51
Sorry but <%@ Page validateRequest="false" %> doesn't exist in mvc. You activate it in the controller as a meta tag and for .net 4.0 which I'm using, its <httpRuntime requestValidationMode="2.0" /> under the <system.web> tag. I edited my original post to clarify my question.
Mikael  2010-09-20 20:23:13

related questions

Never produce to an unknown pathway, in software too? [Toyota principle]
What is the best way to collect/report unexpected errors in .NET Window Applications?
What are the principles guiding your exception handling policy?
Exceptions: Is this a good practice?
How would you get the Sql Command objects for a Given TableAdaptor and SqlDataAdaptor in C# (.NET 2.0)
How to catch all exceptions in Flex?
Sql Server 2005 error handling - inner exception
Error handling in BASH
How to capture crash logs in Java
Php function argument error suppression, empty() isset() emulation
Print stack trace information from C#
How do you manage your app when the database goes offline?
Can I detect and handle MySQL Warnings with PHP?
How to catch unhandled exceptions when using .NET Remoting
Error handling / error logging in C++ for library/app combo
How to Catch an exception in a using block with .NET 2.0?
How to catch SQLServer timeout exceptions
.NET - Throwing Exceptions best practices
How do I log uncaught exceptions in PHP?
What's the best way to report errors from a SharePoint workflow?
Is there a method for handling errors from COM objects in RDML?
How do you log errors (Exceptions) in your ASP.NET apps?
Using unhandled exceptions instead of Contains()?
Global Exception Handling for winforms control
Reducing duplicate error handling code in C#?