Search

[validateinput(false)] not working by TonyBolding

Closed
as By Design Help for as By Design

2
0
Sign in
 to vote
Type: Bug
ID: 543069
Opened: 3/18/2010 5:27:45 PM
Access Restriction: Public
0
Workaround(s)
1
User(s) can reproduce this bug
when submitting an http post containing the < character mvc blocks this and reports a potentially dangerous script.
This can be overcome in .net 3.5 by adding the controller directive [ValidateInput(false)]
This does not work in .net 4.0 so it is not possible to post the contents of a textarea containing the < character.
Details (expand)

Product Language

English

Version

.NET Framework 4 Release Candidate

Operating System

Windows 7

Operating System Language

English

Steps to Reproduce

create an mvc project. create an action result say public ActionResult Edit() Create a view (edit.aspx) in the view add
<% Using (html.beginform()) {

<textarea .... > some text <b>in bold</b></textarea>
<input type="submit">
<%}%>

Actual Results

yellow screen of death

Expected Results

not the above
      You can indicate your satisfaction with how Microsoft handled this issue by completing this quick 3 question survey. [Details]

 

File Attachments
0 attachments
Sign in to post a comment.
Posted by Microsoft on 3/26/2010 at 10:14 AM
Hi,

The request validation feature in ASP.NET has changed from v3.5 to v4. In ASP.NET 4 request validation runs much earlier in the request life cycle - before ASP.NET MVC has a chance to switch it off based on the attribute value. Check out the "breaking changes in ASP.NET 4" documentation on the ASP.NET web site:
http://www.asp.net/learn/whitepapers/aspnet4/breaking-changes/#_TOC7

You can switch the request validation feature to go back to the "old" behavior with a web.config setting. This will get you the behavior that you saw in ASP.NET 3.5 (despite the setting being called "2.0").

Thanks,
The ASP.NET Team
Posted by Microsoft on 3/26/2010 at 4:38 AM
Thank you for reporting the issue.
We were able to reproduce the issue with the detailed steps you provided.We are routing this issue to the appropriate group within the Visual Studio Product Team for triage and resolution. These specialized experts will follow-up with your issue.
Posted by Otto Fischer on 3/20/2010 at 6:22 AM
The Url
/home/test/33:f

The Code:
        [ValidateInput(false)]
        public ActionResult Test(string id)
        {
            ViewData["test"] = id;
            return View();
        }

The Error:

[HttpException (0x80004005): A potentially dangerous Request.Path value was detected from the client (:).]
System.Web.HttpRequest.ValidateInputIfRequiredByConfig() +8815985
System.Web.PipelineStepManager.ValidateHelper(HttpContext context) +59
--------------------------------------------------------------------------------
Version Information: Microsoft .NET Framework Version:4.0.30128; ASP.NET Version:4.0.30128.1
Posted by Microsoft on 3/19/2010 at 3:27 AM
Thank you for your feedback, we are currently reviewing the issue you have submitted. If this issue is urgent, please contact support directly(http://support.microsoft.com)
Sign in to post a workaround.
© 2012 Microsoft Corporation. All rights reserved. Microsoft Connect Terms of Use | Trademarks | Privacy Statement