Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, February 24, 2011 6:09 AM
Is it possible to handle error 'A potentially dangerous Request.Form value was detected from the client' - this and only this error and redirect user to my view: Error/DangerousRequest in which I have communicate 'You can't write tags html or javascript, please remove it' ?
All replies (7)
Thursday, February 24, 2011 7:20 AM âś…Answered
Trying using the HandleErrorAttribute and specify the System.Web.HttpRequestValidationException as error type. You can set the View property for the page view used for displaying exception information.
http://msdn.microsoft.com/en-us/library/system.web.mvc.handleerrorattribute.aspx
Thursday, February 24, 2011 6:52 AM
Refer this...
http://www.howmvcworks.net/CommonProblems/PotentiallyDangerousRequests
Thursday, February 24, 2011 7:07 AM
In addition to Stanly if you're using MVC3 there is an AllowHtml attribute that can be applied to a property that must hold html (or potentially dangerous text). In this case you don't need the ValidateInput(false) thus reducing the problem surface.
You should never trust the user input so I'll suggest to use some kind of cleaning the potentially dangerous text (for HTML, sanitization is the process of examining an HTML document and producing a new HTML document that preserves only whatever tags are designated "safe". (Wikipedia) )
You can use this: http://htmlagilitypack.codeplex.com/ to build a Html "sanitizer"
Thursday, February 24, 2011 7:13 AM
But I don't want disable it. Now when user writes html tags he is redirecting to Error.aspx with communicate 'Potentially Dangerous Request.......' BUT users don't know what is going on so I would like to redirect them to view with communicate 'You can't write tags html' - it should be view only for that error, for other errors I would have default view Error.aspx.
Thursday, February 24, 2011 7:18 AM
Its avery common problem
as solution add validaterequest=false in the page directive as shown below
<%
@ Page Language="C#" AutoEventWireup="true" ValidateRequest ="false" CodeFile="Default.aspx.cs" Inherits="_Default"
%>
Thursday, February 24, 2011 7:23 AM
To be more clear this error happens when you use HTML Editors on your page to save data in the database.
so when the iis gets the querystring with the HTML Tags it does not allow it to pass to the w3wp.exe and reverts back with the message as given by you.
Thursday, February 24, 2011 8:10 AM
Thx reduencua - so the correct solution is:
[HandleError(View = "BadRequest", ExceptionType = typeof(HttpRequestValidationException))]