asp.net mvc 4 - Input sanitization with MVC Razor - how to be safe? -


if have standard signup form text field, , type script tags it, mvc sends error saying "a potentially dangerous request.form value detected client". debug error? users see on live site?

is there safe , easy way silently accept , encode/sanitize input field such mvc doesn't throw scary error, input rendered harmless?

obviously i'd want make sure output encoded, razor takes care of part, , i'm careful @html.raw. taking care of database inputs using parameterized queries, sql injection shouldn't threat.

the "a potentially dangerous request.form value detected client" exception not debug error , is error propagate on deployment server. users see error (or custom error page) on live server.

to allow un-sanitized html bound model may of following:

  1. decorate signup model properties [allowhtml] attribute
  2. decorate signup controller action [validateinput( false )] attribute

  3. if you're using mvc v4.0 include following in web.config:

    <location path="accounts/signup"> <system.web> <pages validaterequest="false" /> <httpruntime requestvalidationmode="2.0" /> </system.web> </location>

i repeat, of above allow un-sanitized html bound model. means there no "a potentially dangerous request.form value detected client" error input not sanitized , still contain potentially harmful tags.

to allow sanitized input bound model may adapt propertybindattribute implementation customizing property binding through attributes allow decorate model properties [allowsanitizedhtml] attribute functionality allow html input accepted after sanitization. sanitization, can use microsoft.security.application.encoder.encode() helper method (nuget package name: 'antixss')

firstly, attribute provide base class propery binding:

[attributeusage( attributetargets.property , allowmultiple = false )] public abstract class abstractpropertybinderattribute :     attribute {      public abstract bool bindproperty(         controllercontext controllercontext ,         modelbindingcontext bindingcontext ,         propertydescriptor propertydescriptor         );  }

then, custom model binder knows of attribute model binding may handle special case of attribute property binding:

public class custommodelbinder :      defaultmodelbinder {      protected override void bindproperty(         controllercontext controllercontext ,         modelbindingcontext bindingcontext ,          propertydescriptor propertydescriptor )     {         if( propertydescriptor.attributes.oftype<abstractpropertybinderattribute>().any() )         {             var modelbindattr = propertydescriptor.attributes.oftype<abstractpropertybinderattribute>().firstordefault();              if( modelbindattr.bindproperty(                     controllercontext ,                     bindingcontext ,                     propertydescriptor ) )             {                 return;             }         }          base.bindproperty(             controllercontext ,             bindingcontext ,             propertydescriptor             );     } }

don't forget add following code global.asax allow custommodelbinder used default:

system.web.mvc.modelbinders.binders.defaultbinder = new custommodelbinder();

finally, allowsanitizedhtmlattribute:

public class allowsanitizedhtmlattribute :     abstractpropertybinderattribute ,     imetadataaware {      public override bool bindproperty(         controllercontext controllercontext ,         modelbindingcontext bindingcontext ,         propertydescriptor propertydescriptor )     {         if( propertydescriptor.propertytype == typeof( string ) )         {             var unvalidatedvalueprovider = bindingcontext.valueprovider iunvalidatedvalueprovider;             var result = unvalidatedvalueprovider.getvalue(                 propertydescriptor.name ,                 true                  );              if( result != null )             {                 propertydescriptor.setvalue(                     bindingcontext.model ,                     encoder.htmlencode( result.attemptedvalue )                     );                 return true;             }         }          return false;     }       #region imetadataaware members      public void onmetadatacreated( modelmetadata metadata )     {         if( metadata == null )             throw new argumentnullexception( "metadata" );          metadata.requestvalidationenabled = false;     }      #endregion  }

now can safetly decorate model properties require sanitization in signup form [allowsanitizedhtml] attributes. allow input model properties silently bound after being sanitized.


Comments

Post a Comment

Popular posts from this blog

user interface - How to replace the Python logo in a Tkinter-based Python GUI app? -

is there way change default logo, python logo , appears in window's task bar? notice have replaced default tk logo used appear in application window. i using windows 7 , python 2.6 , developing gui of tkinter. you can using winico tk extension package. winico package can used add system tray icons tk programs. the following sample shows 1 way change runtime application icon. note need provide .ico file suitable sizes of icons in on command line , need use pythonw. not change taskbar icon console when running python script. test extracted winico0.6 package python\tcl\winico0.6 folder package require winico work , ran code below using pythonw winico_test.py path\to\some\ico\file.ico . import sys tkinter import * def main(argv): root = tk() root.update() root.tk.call('package','require','winico') id = root.tk.call('winico','createfrom',argv[1]) root.tk.call('winico','setwindow',root,id...
Read more

objective c - Greedy NSProgressIndicator Allocation -

i'm using bunch of nsprogressindicators @ once (32 exact) , looks when they're animating start allocating memory no one's business greedy_run http://i62.tinypic.com/15rgmso.png i've got reports app slowdown , crash after days of uptime, , looks culprit, it's hard pinpoint bugs take days appear. i comment out call start animating, memory behaves expected. result of multiple nsprogressindicators alloc'ed on same thread? or maybe sandboxing? of constant allocations coming core animation threads, don't know else going on. custom nsview progress indicator lives in @interface myview () @property (nonatomic, strong) nsimageview *imageview; @property (nonatomic, strong) nstextview *numbertxt; @property (nonatomic, strong) nsprogressindicator *progress; @end @implementation myview - (id)initwithframe:(nsrect)framerect { self = [super initwithframe:framerect]; if (self) { // image nsimage *image = [nsimage imagenamed:@"bg.png"]; c...
Read more

how to set an OCR language in Google Drive -

i need upload image google drive including ocr feature. the problem setocrlanguage method. need specify hebrew language , based on iso 639-1 codes should "heb". i'm getting response "code" : 400, "errors" : [ { "domain" : "global", "location" : "ocrlanguage", "locationtype" : "parameter", "message" : "invalid value", "reason" : "invalid" } ], any idea should code or can list of avaliable codes?
Read more