开发者

AllowHtml with PRG pattern in MVC 3

开发者 https://www.devze.com 2023-03-25 20:20 出处:网络
I can\'t get the AllowHtml attribute(used in the DirtySearch class) to work with the following actions:

I can't get the AllowHtml attribute (used in the DirtySearch class) to work with the following actions:

    public ActionResult NewEntry(string开发者_如何学C searchIndex, string searchString)
    {
        var model = new SearchResultsModel(loserID, searchIndex, searchString);
        return View(model);
    }

    [HttpPost]
    public ActionResult GetSearchResults(DirtySearch dirtySearch)
    {
        return RedirectToAction("NewEntry", new { searchIndex = dirtySearch.SearchIndex, searchString = dirtySearch.SearchString });
    }

I'm receiving the A potentially dangerous Request.Path value was detected from the client (%) error.

I've included the <httpRuntime requestValidationMode="2.0" /> in my Web.config, and put ModelMetadataProviders.Current = new DataAnnotationsModelMetadataProvider(); in the Application_Start method.

I feel as though I'm overlooking something obvious here.


Do not suppress this error. It seems you have a security problem because of the PATH still having a problem. What is the path (check fiddler so you can see all the request details) taken from: http://blogs.msdn.com/b/marcinon/archive/2010/11/09/mvc3-granular-request-validation-update.aspx

"the granular request validation in MVC 3 only supports turning off validation for Form (and sometimes QueryString). Path will still be validated, as well as the remaining Request collections.

Your module should access the Request values via the System.Web.Helpers.Validation.Unvalidated() method (available in System.Web.WebPages.dll) to get around the default request validation (that's what's being used by the mechanism that allows AllowHtml to work)."


You can probably suppress this error if you put an additional attribute on the httpRuntime node in your web.config:

<system.web>
    <httpRuntime requestValidationMode="2.0" requestPathInvalidCharacters="" />
</system.web>

But you better read the documentation to understand what security features will be turned off by these settings.

0

精彩评论

暂无评论...
验证码 换一张
取 消