[AllowHtml] attribute #102
Comments
|
Can I get you to post up a sample app where you run into this problem? (e.g. in a temporary repo and link to it from here?) I'd just like some sort of reproduction scenario. |
|
I created a sample app at https://github.com/mcamp1/AllowHtml/ Thanks!
|
|
@mcamp1 Sorry for the long time since you have posted and not getting back to you. Are you still experiencing an issue with your form input, or have you found a workaround? |
|
Thanks for checking in! I am still experiencing the issue, and the only workaround I've found is to just disable validation. Any help would be appreciated! |
|
@mcamp1 Thanks for confirming that. I was looking through the code yesterday and see where the .NET CAS client is pulling values out of POST-ed data using the .NET Framework's helper method, which passes through the forms validation and causes the exception to occur. You are applying the What I think needs to happen is the .NET CAS client needs to access the form values via the non-validated collection so that it never triggers the protection of .NET forms validation. Instead, it will manually perform any validation on the values it needs, and that way it won't step on the toes of what your application is (or isn't) doing with forms validation. I will test this out and create a fix for you if my assumption is correct. |
|
@TheHokieCoder let me know if the automated building on AppVeyor fails. I think it may run into a problem and I'll need to fix it. If you do a push against the repo in the develop branch (gitflow methodology) or trigger a PR, AppVeyor should do an automatic build against the Cake build script in the repo. |
|
@phantomtypist Thanks for that heads up! Partial good news is that, for .NET v4.5 and onwards, I was able to fix the request validation errors that the OP was encountering. v4.5+ provides a collection of non-validated inputs that don't trigger validation exceptions (HttpRequest.Unvalidated). However, before v4.5, such as v4.0, there is no such collection. Based on my research in documentation, it appears that the only recourse is to set the request validation mode back to 2.0 so that validation is only done for page requests...not all requests. (I found some useful info on an OWASP site) This is not ideal, but as far as I can tell there is no facility to read request inputs (query string and form) without triggering the request validation AND with leaving the validation mode at 4.0. Unless someone else can prove me wrong, I think we'll need to fix this bug for .NET v4.5+ and then make a note in the documentation that the request validation mode needs to be set back to 2.0 in order to prevent the exceptions. Another option is to swallow those exceptions and log them, but there are two cons to this approach:
I am OK with the originally proposed solution to throw up the caveat about .NET v4.0 and fix it for v4.5+. But I would like to get further input and give someone the chance to prove me wrong by showing a way we can read query string and form values without triggering validation in .NET Framework v4.0. |
|
I'm in favor of just doing the implementation in .NET 4.5.x and fully sunsetting the .NET 4.0 and lower support in this project. At this point in time, people need to stop using the older versions of the framework. It's going to make things easier in the long run internally within the project too. |
|
Any objections from anyone deprecating support for anything lower than .NET 4.5.x? |
|
@phantomtypist How about we:
|
I'm running into a problem using the AllowHtml attribute to allow posting HTML strings with DotNetCasClient installed. Any help would be appreciated. The attribute works fine without the CAS client, but throws an error as soon as it is installed.
Model:
[AllowHtml]
public string Password { get; set; }
Stack Trace:
Server Error in '/' Application.A potentially dangerous Request.Form value was detected from the client (Password="<strong>Hello World<...").Description: ASP.NET has detected data in the request that is potentially dangerous because it might include HTML markup or script. The data might represent an attempt to compromise the security of your application, such as a cross-site scripting attack. If this type of input is appropriate in your application, you can include code in a web page to explicitly allow it. For more information, see http://go.microsoft.com/fwlink/?LinkID=212874.Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (Password="<strong>Hello World<...").Source Error:An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.Stack Trace:[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (Password="<strong>Hello World<...").]System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +9906997System.Web.<>c__DisplayClass280_0.<ValidateHttpValueCollection>b__0(String key, String value) +23System.Web.HttpValueCollection.EnsureKeyValidated(String key) +9904951System.Web.HttpValueCollection.GetValues(Int32 index) +30System.Collections.Specialized.NameValueCollection.Add(NameValueCollection c) +84System.Web.HttpRequest.FillInParamsCollection() +52System.Web.HttpRequest.GetParams() +90System.Web.HttpRequest.get_Params() +33DotNetCasClient.Utils.RequestEvaluator.GetRequestIsCasSingleSignOut() +100DotNetCasClient.CasAuthenticationModule.OnBeginRequest(Object sender, EventArgs e) +288System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +144System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) +50System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +73Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.8.4001.0The text was updated successfully, but these errors were encountered: