Geek Answers Handbook

MVC Side effect of using [HttpPost, ValidateInput (false)]

I have a TextArea in my strongly typed view defined with

@Html.TextAreaFor(x => x.Text)

My controller action initially looked something like this:

 [HttpPost] public ViewResult Index(MyViewModel vm) { using (var db = new MyEntities()) { Post p = new Post(); p.Text = vm.Text; db.Posts.AddObject(p); db.SaveChanges(); } return View(); }

Everything went perfectly. The text entered by the user in TextArea was transferred to the controller and stored in the Post table in SQL Server through the Entity Framework. The data type for this field is varchar (1000). (There is also model validation in the text box using MetadataType with validation [StringLength (1000)].

I noticed that if I tried to copy some HTML source and paste it into TextArea and send it, I got the following error:

"The potentially dangerous Request.Form value was detected by the client"

The error led me to this question , and to take away from me was that I could just add

 [HttpPost, ValidateInput(false)]

to my action to stop this type of check. This worked wonderfully, but, to my surprise, no matter what I tried to put in TextArea, I could not cause any problems. If I embed statements in javascript, html or T-SQL pierced by quotation marks, it still works fine. I see the exact characters that I entered in TextArea that appear in the SQL table, and if I return the text back to the view, I see in the source, each character is converted to an HTML copy, and the screen on the screen looks just like it happened when I entered it. I did not do any text conversion to accomplish this. Everything seems to work exactly the way I want by default. Of course, I am happy for this, but when I read about disabling the check, it is often followed by a warning that you should understand the consequences of this, and I do not think so. Therefore, I wonder what the consequences are. Is there anything that someone can enter into my TextArea that can mess things up as a result of disabling input validation?

In case this is relevant, my specific settings are MVC4, .NET 4.0, Entity Framework 4.4, SQL Server 2012 Express.

+7
source share
1 answer

If you use a razor, any text that you output will be automatically encoded, which will be displayed as text in the browser, but will not be interpreted as javascript, etc.

If you refuse verification, you have to be very careful to make sure that you encode all user inputs until you show them, so that you don't accidentally run any javascript on your page due to incorrect user input (look at XSS for some examples).

You can quickly test (albeit not an exhaustive search) by adding some javascript alert ("hello") signal to the various varchar fields in your database and see if it will be called when you visit the page.

Also, even if you don’t show user data, it can have consequences depending on how you access the data.

Even if you use something like an entity structure, you are not protected from SQL injection, for example, if you used stored procedures and did not perform validation of the input. See the Troy Hunt article on this.

+9
source

More articles:


All Articles