Sunday, April 19, 2009

ValidateInput Attribute in ASP.NET MVC - Potentially Dangerous Request.Form Values

By default, your controller actions will validate the Request.Form contents for potentially dangerous values. You will know this, because if you attempt to enter HTML tags in a form when submitting it:


e.g: <>

You will get the “A potentially dangerous Request.Form value was detected from the client...“ error as shown here:




ValidateInputAttribute in ASP.NET MVC
To get the validation of the Request.Form Values to turn off, there is a ValidationInputAttribute in the ASP.NET MVC Framework that you can use to decorate your MVC Action Methods or Controller Class to turn off input validation:

[AcceptVerbs(HttpVerbs.Post)]
[ValidateInput(false)]
public ActionResult Create(string title)
{
// Do Something...
}

Notice the ValidateInput Attribute above and the fact that I turned off validation by passing false to it.

If you look at the source of the ASP.NET MVC Framework you will see that the ValidateInput Attribute is masquerading as an IAuthorizationFilter so that it will be one of the first filters to run when a controller action is run. During the OnAuthorization Method it just quietly sets the controller's ValidateRequest Property to the value you passed to it ( false in this case ). That value of the property controls whether ValidateInput gets called on HttpRequest when the ControllerActionInvoker is invoking the action.

Good stuff to know as you start working with the ASP.NET MVC Framework.

No comments:

Shared Cache - .Net Caching made easy

All information about Shared Cache is available here: http://www.sharedcache.com/. Its free and easy to use, we provide all sources at codeplex.

Facebook Badge