Geek Answers Handbook

AllowHtml not working

I am creating a content management system so that people, except me, do not update the material on the site.

I have a front-facing HTML form that sends data via AJAX to a controller:

// CONTROLLER [ValidateInput(false)] public void CarAJAX() { CarAdmin CA = new CarAdmin(); CA.UpdateCar(System.Web.HttpContext.Current.Request); }

This data will have HTML, so I keep getting an error in my model:

 // MODEL using System; using System.Web; using System.Web.Mvc; namespace Site.Models { public class CarAdmin { public String id { get; set; } [AllowHtml] public String HTML_Stuff { get; set; } public CarAdmin(){} public void UpdateCar(HttpRequest Request) { HTML_Stuff = Request.Form["HTML_Stuff"]; // <-- ERROR HAPPENS HERE!!!!!! // sanitation and validation String Select = String.Format("UPDATE Car Set HTML_Stuff = {0} WHERE id = {1}", HTML_Stuff, id); // Execute DB Command } } }

As shown in the code, I get an error when I try to set a member equal to the request variable with HTML.

Edit: Error: "A potentially dangerous value was found in Request.Form.

Here is what I tried:

  • Change the validation mode in web.config , but I do not want to change the validation for my entire site when only one variable will have HTML.

  • [AllowHtml] in the Model, however, I still get the same error - as if [AllowHtml] did nothing.

  • [ValidateInput(false)] in a controller similar to AllowHtml , it does not seem to be affected.

Did I miss something?

+5
source share
3 answers

I had the same problem. "requestValidationMode =" 2.0 " was set to web.config, [AllowHtml] was also set to the correct property, and I still have the error" potentially dangerous Request.Form detected value ... ".

But I noticed that the controller method was actually called (I was able to debug the method), so this meant that validation was actually disabled. In the call stack, I repeatedly found classes around the cache, such as "System.Web.Caching.OutputCacheModule" , and this led me to think that this has something to do with the cache. I turned off the entire controller this way: [OutputCache (NoStore = true, Duration = 0)] " .

Based on this, I also tried setting the cache location to OutputCacheLocation.None, and this did the trick. So I ended up with [OutputCache (NoStore = true, Duration = 0, Location = OutputCacheLocation.None)] , working and finally not checking and not interrupting my requests .

+7
source

Try the following:

 // CONTROLLER [HttpPost] public ActionResult CarAJAX(CarAdmin model) { model.UpdateCar(); } // MODEL using System; using System.Web; using System.Web.Mvc; namespace Site.Models { public class CarAdmin { private string html; public String id { get; set; } [AllowHtml] public String HTML_Stuff { get { return html; } set { // sanitation and validation on "value" html = value; } } public CarAdmin(){} public void UpdateCar() { String Select = String.Format("UPDATE Car Set HTML_Stuff = {0} WHERE id = {1}", HTML_Stuff, id); // Execute DB Command } } }

I also noticed that you are checking inside the method. It would probably be better if you did this when setting the property.

EDIT:
I learned a lot about this topic. You really need to bind the model to the controller using AJAX. Take a look at this example . I'm not sure about the extents of your code, but I think you will also need an ActionResult to return to the controller. There are good examples of what needs to be returned from ActionResult .

0
source

You should do it like -

Create a separate class with entities that are needed -

 public class EntityDto { public String id { get; set; } [AllowHtml] public String HTML_Stuff { get; set; } }

And then use it in your controller method -

 [ValidateInput(false)] public void UpdateCar(EntityDto model) { var html_stuff = model.HTML_Stuff; // sanitation and validation String Select = String.Format("UPDATE Car Set HTML_Stuff = {0} WHERE id = {1}", html_stuff , id); // Execute DB Command }

Let me know if this helps.

-1
source

More articles:


All Articles