Search code examples
codefluent

Codefluent Potentially dangerous Request.Form value with richtext fields

After adding the multivalue (flags) enumeration solution (which works very well, thank you) from

http://blog.codefluententities.com/tag/multi-enumeration-values/

to our MVC project we are now getting the dreaded "Potentially dangerous Request.Form value" on richtext fields across the board that we're using to generate html with a wysiwyg editor (summernote in this case).

If I remove summernote and just submit plain text the fields work perfectly, however putting any html code into the text input generates the error.

Fortunately, the error is coming out of the code just added (above) for the multi-enumeration on line 246:

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (Description="...rem ipsum <strong>dolor</stron...").

Source Error: 

Line 244:                        continue;
Line 245:
Line 246:                    Add(name, nvc[name]);
Line 247:
Line 248:                }

EDIT:

For clarity, here is the whole method in question:

            private void AddRange(NameValueCollection nvc)
        {
            foreach (string name in nvc)
            {
                // handle MultiSelectList templates
                const string listSelectedToken = ".list.item.Selected";
                const string listValueToken = ".list.item.Value";
                if (name.EndsWith(listSelectedToken))
                {
                    List<bool> bools = CodeFluent.Runtime.Utilities.ConvertUtilities.SplitToList<bool>(nvc[name], ',');
                    string propertyName = name.Substring(0, name.Length - listSelectedToken.Length);
                    string valueKey = propertyName + listValueToken;
                    List<string> keys = CodeFluent.Runtime.Utilities.ConvertUtilities.SplitToList<string>(nvc[valueKey], ',');
                    int j = 0;
                    StringBuilder sb = new StringBuilder();
                    for (int i = 0; i < keys.Count; i++)
                    {
                        if (bools[j])
                        {
                            if (sb.Length > 0)
                            {
                                sb.Append(CodeFluentConfiguration.EntityKeyListSeparator);
                            }
                            sb.Append(keys[i]);
                            j++;
                        }
                        j++;
                    }
                    Add(propertyName, sb.ToString());
                    continue;
                }

                if (name.EndsWith(listValueToken))
                    continue;

                Add(name, nvc[name]);

            }
        }

Have I missed something in the multi-value implementation?

Thanks,

Russ

Solution

  • I don't think this error is related to the use of a multi-valued enumeration. In fact you post a value for the Description field that contains HTML tags (strong). By default ASP.NET prevents this and throw a validation exception.

    If you expect your users to enter HTML, you must instruct ASP.NET to authorize HTML.

    Change the EntityValueProvider

    AddRange(context.HttpContext.Request.Unvalidated.Form); // Add Unvalidated
AddRange(context.HttpContext.Request.Unvalidated.QueryString);

    Or use the web.config: validateRequest or requestValidationMode

    <system.web>
  <pages validateRequest="false" />
  <httpRuntime requestValidationMode="2.0" />
</system.web>

    Use AllowHtmlAttribute

    public class Sample
{
    [AllowHtml] 
    public string Description {get;set;}
}

    Or ValidateInputAttribute

    [HttpPost, ValidateInput(true, Exclude = "Description")]
public ActionResult Edit(int id, FormCollection collection)
{
    ...
}