Gracefully handling potentially dangerous Request.Form values in Umbraco CMS

Question

I am close to launching my first Umbraco site, but am just running through the last-minute testing.

I tried being a 'hacker' and entering dangerous stuff in my search form and contact form, which .NET blocked with a big yellow error page and the following error:

A potentially dangerous Request.Form value was detected from the client (Subject="test <b> 'haha").

I have researched this error and found many solutions where people post ways of disabling this error, but I am concerned that if I do, it will allow malicious data to be posted, as I don't (knowingly) have anything in place to safely handle it.

I am using uContactor for the contact form, and the search facility is based on the tutorial here .

In my previous days developing in classic ASP, it was just a case of HTML-Encoding the request (and replacing a few naughty characters such as < and > etc) but I would appreciate some advice on the best way to handle such things on an ASP.NET MVC / Umbraco site, as it's still very new to me.

(I don't want to prevent people from entering these things, just for the site to handle it safely and gracefully). Thank you.

Answer 1

This error checking actually happens a level above Umbraco. This gets picked up by ASP.Net before Umbraco runs.

You can turn it off as you've discovered, but whether or not the site will handle the potentially dangerous input correctly will be down to what the pages do with the data and how they store/render it.

You can turn it off on a per page basis, that way you can allow it on pages where you may want invalid characters to be submitted (eg if you have a field that accepts HTML). I'd say this is probably better that blanket disabling it. This does mean it's down to you to mitigate against any dangerous input however.

The question here shows you how to disable request validation for specific controller methods in MVC:

I can't turn off Request Validation for an ASP.NET MVC Controller