Simple RTFEM OR why asp.net MVC [ValidateInput(false)] doesn't disable request validation on asp.net 4

24 במרץ 2010

Have been doing a lot of asp.new MVC the past three months, learning it as we build the project(hope to share more in the near future).
We are using visual studio 2010, so now we're stuck with MVC2 RC1 since RTM wasn't shipped for the the RC version of 2010 (and yes this is a huge rant!!, we are stuck with 2010 since we also chose to work with entity framework 4 which only work on framework 4.0).
This is why i suspect every feature that doesn't work well as a problem of an early release.

Before i get to the point, just wanted to state that i really like the MVC framework, and i don't even consider moving back to WebForms.
it is much more natural to write code this way, and the thing i like the most is that it is extensible and Microsoft have
released all it's code, so if something doesn't behave well – ditch it and replace it, using the supplied code as a reference.

Now to the point – RTFEM == Read The Fucking Error Message.
well.. nobody hardly does, and if the error is too long – nobody reads it.
At one of my forms i use a Rich Text Editor (TinyMCE if you must know), so i have to disable request validation or else i'll get a server error for posting potentially….

In WebForms you just set the validateRequest="false" at the page level, and you're OK.
in MVC
disabling this feature is a bit different,
setting validateRequest="false" on the aspx or at the
web.config won't cut it since these are only views, the controller
handles the request first and just use the view as template.
So the MVC team gave us the
[ValidateInput(false)] attribute to disable this annoying
feature.
But just setting it on an action will also fail, you still have to
set one more setting at the web.config for this to work(if you are working with asp.net 4):
<system.web>

<httpRuntime
requestValidationMode="2.0" />

</system.web>

you can read at the ASP.NET 4 Release Candidate (RC) Breaking Changes that now all requests to the server "enjoy" this validation,
and not just aspx pages, which is OK and more secure, but MS should have gave us a better way to disable it for specific requests, instead of just reverting to the 2.0 mode.
as the above paper states,request validation is enabled before the beginRequest stage, so i don't believe that at the RTM it will be fixed.

As for the time it took me to realize that and add the web.config entry, the answer was in front of me all the
time in the ugly YSOD(yes i feel stupid now),
I just ignored it
because it had all this WebForms specific error data and instructions
that i know are not the answer.

I would expect a change at the error message from MS for the MVC people(or better – that putting [ValidateInput(false)]will just work) ,
but that's just me dreaming.

The error message(the yellow part is the relevant part for me): 

A potentially dangerous Request.Form value was detected
from the client (SomeLie="<b>Bold Lie</b>").

Description: Request Validation has detected a
potentially dangerous client input value, and processing of the request
has been aborted. This value may indicate an attempt to compromise the
security of your application, such as a cross-site scripting attack. To
allow pages to override application request validation settings, set
the requestValidationMode attribute in the httpRuntime configuration
section to requestValidationMode="2.0". Example: <httpRuntime
requestValidationMode="2.0" />
. After setting this value, you
can
then disable request validation by setting validateRequest="false" in
the Page directive or in the <pages> configuration section.
However, it is strongly recommended that your application explicitly
check all inputs in this case. For more information, see
http://go.microsoft.com/fwlink/?LinkId=153133.

Exception Details: System.Web.HttpRequestValidationException:
A potentially dangerous Request.Form value was detected from the client
(SomeLie="<b>Bold Lie</b>").

 

P.S.
when looking for the solution, encountered this http://stackoverflow.com/questions/1461330/validateinput-attribute-doesnt-seem-to-work-in-asp-net-mvc

This shows another thing to look for – "If there are any calls to other
actions in the request context (e.g. from the
Master Page or child partials) these actions also need to have
[ValidateInput(false)] set appropriately"

hope this helps.

והסבר קצר בעברית: יתווסף פה בהמשך.. עייף מידיי כרגע, מצטער.
רק תקפידו לקרוא את הודעות השגיאה, גם אם נראה שהן לא לגמריי קשורות.

 
 
הוסף תגובה
facebook linkedin twitter email

כתיבת תגובה

האימייל לא יוצג באתר. שדות החובה מסומנים *