While i have seen plenty of information on this issue on these forums, they have been for Umbraco 6 and below. I am after a possible solution to avoid this issue with Contour with Umbraco 7.
I have amended the httpRuntime to show <httpRuntime requestValidationMode="2.0" enableVersionHeader="false" targetFramework="4.5" />
The pages show <pages enableEventValidation="false" validateRequest="false">
If HTML is added within a contour form it returns the nasty Potentially Dangerous Request error message. Is there any way we can avoid this. If we can turn off the Validation, does Contour encode the HTML? Can we return a better error message instead of the message and executing the HTML?
To be honest, we are not expecting a lot of these happening on the site we are working on, but would be nice to know for the future as well.
I've asked about the proper way of allowing HTML in form fields in .NET and the answer has always been to use the html.agilitypack, which is already a part of the core. But since I'm a frontend guy I have never had a time to look at it myself though. HTML agility pack also mentione din the comments in the referenced thread.
This is an MVC build, sorry - should have mentioned that in my opening post.
This is all good information that i know about for my non Umbraco builds. In most builds i would allow HTML to be passed through via a data annotation. I am not aware of how to duplicate this with the current version of Contour. Are we to intercept the submission to parse the content before forwarding it on to be stored? Seems a little bit of a pain for something that should be considered a basic requirement (to allow/disallow html in submissions).
Will look into this a little more over the next couple of days to see if i can come up with something.
Potentially Dangerous Request with Umbraco 7
While i have seen plenty of information on this issue on these forums, they have been for Umbraco 6 and below. I am after a possible solution to avoid this issue with Contour with Umbraco 7.
I have amended the httpRuntime to show
<httpRuntime requestValidationMode="2.0" enableVersionHeader="false" targetFramework="4.5" />
The pages show
<pages enableEventValidation="false" validateRequest="false">
If HTML is added within a contour form it returns the nasty Potentially Dangerous Request error message. Is there any way we can avoid this. If we can turn off the Validation, does Contour encode the HTML? Can we return a better error message instead of the message and executing the HTML?
To be honest, we are not expecting a lot of these happening on the site we are working on, but would be nice to know for the future as well.
Hi Richard
The way to avoid this issue should be the same in 6 and 7. However it might differ wether you're running webforms or MVC perhaps.
Maybe you can find some more information regarding how to disable/improve the experience here http://forums.asp.net/t/1824390.aspx?How+do+I+avoid+this+error+A+potentially+dangerous+Request+Form+value+.
I've asked about the proper way of allowing HTML in form fields in .NET and the answer has always been to use the html.agilitypack, which is already a part of the core. But since I'm a frontend guy I have never had a time to look at it myself though. HTML agility pack also mentione din the comments in the referenced thread.
Perhaps some more useful information can be found here http://stackoverflow.com/questions/2962038/how-to-remove-dangerous-charactersie-script-tags
Hope this helps.
/Jan
Thanks Jan
This is an MVC build, sorry - should have mentioned that in my opening post.
This is all good information that i know about for my non Umbraco builds. In most builds i would allow HTML to be passed through via a data annotation. I am not aware of how to duplicate this with the current version of Contour. Are we to intercept the submission to parse the content before forwarding it on to be stored? Seems a little bit of a pain for something that should be considered a basic requirement (to allow/disallow html in submissions).
Will look into this a little more over the next couple of days to see if i can come up with something.
is working on a reply...