ASP.NET Core how to override not valid value message
Question
I'm perfoming penetration tests with Acunetix and the following query "api/venues?gameId=1'"()%26%25vAtC(9571)" is getting the following response:
{ "status": 400, "userMessage": [ "There are validation errors" ], "validationErrors": [ "The value '1'\\"()&%<acx><ScRiPt >NJMi(9780)</ScRiPt>' is not valid." ] }
This is detected by Acunetix as a posible XSS security issue and I would like to override the validation error message in order to avoid this in the whole application.
2 answers
solution1
3 ACCPTED 2019-03-22 08:55:21
Model binder messages can be customized like this:
services.AddMvcCore().AddMvcOptions(options =>
{
options.ModelBindingMessageProvider.SetNonPropertyAttemptedValueIsInvalidAccessor(s => "The provided value is invalid.");
});
solution2
0 2021-10-08 14:02:00
Its worth adding that there are 3 other baked in binder errors, which display the value back, altogether:
options.ModelBindingMessageProvider.SetAttemptedValueIsInvalidAccessor((x, y) => $"The value is not valid for {y}.");
options.ModelBindingMessageProvider.SetNonPropertyAttemptedValueIsInvalidAccessor(x => "The value is not valid.");
options.ModelBindingMessageProvider.SetValueIsInvalidAccessor(x => "The value is invalid.");
options.ModelBindingMessageProvider.SetValueMustNotBeNullAccessor(x => "The value is invalid.");
Best to check MSDN ModelBinding message providers, for what's currently available.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.