Solving the “A potentially dangerous Request.Form value was detected….” in ASP.NET MVC

By at December 30, 2010 15:57
Filed Under:

Oftentimes an MVC application needs to POST text back that a user has entered into a text field or textarea. In a project I am working on I am using the TinyMCE WYSIWYG text editor to allow users to write articles. The editor allows for HTML tags such as <p>, <strong>, <em>, etc., and when submitting the form I have run across the infamous, “A potentially dangerous Request.Form value was detected” error. So, how do you get around this? You want the user to be able to use some HTML, but you need to secure your site as well from scripting attacks.

Enter the [ValidateInput(false)] attribute.

Adding this attribute to each of the ActionResults where you are expecting HTML tags to come in, will allow the Controller to continue with the action. This will work most of the time but is not exactly bulletproof for protecting your site.

By doing a string.Replace() on the incoming content, and checking for suspicious and/or malicious code, you can secure your site a bit more.

   1: [ValidateInput(false)]
   2: [HttpPost]
   3: public ActionResult Create(Article article, FormCollection collection)
   4: {
   5:   var author = HttpContext.User.Identity.Name;
   6:   var member = _appHelpers.GetAuthenticatedMember(author);
   7:   article.ArticleContent = 
   8:       article.ArticleContent.Replace("<script", "[script")
   9:       .Replace("</script>", "[/script]");
  10:   _repo.Create(article);
  11:   return RedirectToAction("Edit", new {articleId = article.Id});
  12: }

Lines 8 and 9 in the above code will replace “<script>” tags with innocuous [script strings making sure no javascript can run in the code which is submitted. You can also continue along this line to remove any SQL injection attack strings as well.

A nice little method to put in your tool belt. Be sure to use it on your Edit Actions as well.

Happy Programming from ComponentOne

James

Comments (2) -

4/11/2011 7:20:40 PM #

Michael T Roth

James,

I disagree this might open you up to an attack, sanatizing user input is a very complicated responsibility and generally security experts recommend you try not to use Blacklisting or Whitelisting, also respectfully it might be better to use tools that exist instead of rolling your own.

www.microsoft.com/.../details.aspx

A security vector i can see looking at your code while <script> is not allowed I could do this <Script> your controller action would allow this to persisted to the database. Also what about javascript directives attached to buttons and such.

Michael T Roth United States | Reply

4/15/2011 3:21:50 PM #

Mike Roth

Meant to say they recommend you use whitelisting instead of blacklisting, but in any way you should look at the WPL library on codeplex, code injection is a really real concern, and requires a lot of thought and knowlege about possible attack vectors.

Mike Roth United States | Reply

Add comment




  Country flag
biuquote
  • Comment
  • Preview
Loading


About the author

James James is a five time and current Microsoft MVP in Client App Development, a Telerik Insider, a past Director on the INETA North America Board, a husband and dad, and has been developing software since the early days of Laser Discs and HyperCard stacks. As the Founder and President of the Inland Empire .NET User's Group, he has fondly watched it grow from a twice-a-month, early Saturday morning group of five in 2003, to a robust and rambunctious gathering of all types and sizes of .NET developers.

James loves to dig deep into the latest cutting edge technologies - sometimes with spectacular disasters - and spread the word about the latest and greatest bits, getting people excited about developing web sites and applications on the .NET platform, and using the best tools for the job. He tries to blog as often as he can, but usually gets distracted by EF, LINQ, MVC, ASP, SQL, XML, and most other types of acronyms. To keep calm James plays a mean Djembe and tries to practice his violin. You can follow him on twitter at @latringo.

And as usual, the comments, suggestions, writings and rants are my own, and really shouldn't reflect the opinions of my employer. That is, unless it really does.

James Twitter Feed

Recent Comments

Comment RSS

Month List