Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Richard Eyres 98 posts 580 karma points
    Jul 04, 2014 @ 09:10
    Richard Eyres
    0

    Potentially Dangerous Request with Umbraco 7

    While i have seen plenty of information on this issue on these forums, they have been for Umbraco 6 and below. I am after a possible solution to avoid this issue with Contour with Umbraco 7.

    I have amended the httpRuntime to show
    <httpRuntime requestValidationMode="2.0" enableVersionHeader="false" targetFramework="4.5" />

    The pages show
    <pages enableEventValidation="false" validateRequest="false">

    If HTML is added within a contour form it returns the nasty Potentially Dangerous Request error message. Is there any way we can avoid this. If we can turn off the Validation, does Contour encode the HTML? Can we return a better error message instead of the message and executing the HTML?

    To be honest, we are not expecting a lot of these happening on the site we are working on, but would be nice to know for the future as well.

  • Jan Skovgaard 11257 posts 23497 karma points MVP 7x admin c-trib
    Jul 04, 2014 @ 10:40
    Jan Skovgaard
    0

    Hi Richard

    The way to avoid this issue should be the same in 6 and 7. However it might differ wether you're running webforms or MVC perhaps.

    Maybe you can find some more information regarding how to disable/improve the experience here http://forums.asp.net/t/1824390.aspx?How+do+I+avoid+this+error+A+potentially+dangerous+Request+Form+value+.

    I've asked about the proper way of allowing HTML in form fields in .NET and the answer has always been to use the html.agilitypack, which is already a part of the core. But since I'm a frontend guy I have never had a time to look at it myself though. HTML agility pack also mentione din the comments in the referenced thread.

    Perhaps some more useful information can be found here http://stackoverflow.com/questions/2962038/how-to-remove-dangerous-charactersie-script-tags

    Hope this helps.

    /Jan

  • Richard Eyres 98 posts 580 karma points
    Jul 04, 2014 @ 10:54
    Richard Eyres
    0

    Thanks Jan

    This is an MVC build, sorry - should have mentioned that in my opening post.

    This is all good information that i know about for my non Umbraco builds. In most builds i would allow HTML to be passed through via a data annotation. I am not aware of how to duplicate this with the current version of Contour. Are we to intercept the submission to parse the content before forwarding it on to be stored? Seems a little bit of a pain for something that should be considered a basic requirement (to allow/disallow html in submissions).

    Will look into this a little more over the next couple of days to see if i can come up with something.

Please Sign in or register to post replies

Write your reply to:

Draft