ASP.NET MVC application, target framework: .NET Framework 4.7.2
Pretty old project with a bunch of legacy code.
Web.config file in Views folder contains the following part:
<system.web>
<!--
Enabling request validation in view pages would cause validation to occur
after the input has already been processed by the controller. By default
MVC performs request validation before a controller processes the input.
To change this behavior apply the ValidateInputAttribute to a
controller or action.
-->
<pages validateRequest="false" />
</system.web>
This part had been autogenerated upon the project creation several years ago.
If to create an ASP.NET MVC project for .NET Framework 4.7.2 now, then the Web.config will miss the above autogenerated part.
Do we still need this pages element and validateRequest="false" attribute?
Or in some point on the way from the WebPages to the MVC for .NET Framework 4.7.2 there were breaking changes that canceled the need of this setting?
MVC will prevent against potentially dangerous requests by default.
To post any sort of script or HTML you need to add either:
1 - The ValidateInput attribute on a controller action method
[ValidateInput(false)]
public ActionResult AddEntry(MyModel model) {
:
}
2 - The AllowHtml attribute on a model property
public class MyModel
{
[AllowHtml]
public string HtmlContent { get; set; }
}
The Pages Section of the Web Config is a WebForms thing
"Directives [in the pages element] specify settings used by the page and user-control compilers when they process ASP.NET Web Forms page (.aspx) and user control (.ascx) files." see (here)
<pages validateRequest="false" />
Is a left over from WebForms and is no longer needed by an MVC application.
So because MVC does not use any of that it is now irrelevant. Unless of course your application contains a mix of MVC and Webforms logic.
Bottom Line
Ideally you should never set validateRequest to false when using WebForms, or use AllowHtml or ValidateInput(false) in an MVC app because all three open security vulnerabilities in your code.
So should you remove it? Yes. It should probably not have been there in the first place.
Related
I have a project with .NET Core 2.1 Razor Pages. It was built using the authentication option in the new project UI. So, when I type the URL and hit enter, the website opens the Microsoft login page, and I cannot see any page until I am signed in.
Now, I have a request to change the behavior of the authentication and I need to show the home page (Index) and other pages without the authentication process. So, I think I have to move the login page to a button and allow those pages to be accessible by anyone.
Can you please show me the right direction for this change?
I see that the [AllowAnonymous] directive is only for the controller (ASP.NET Core MVC), because it is not working in the Razor page, where the client and server code are combined in 2 files.
Also, I found a post talking about Service.AddRazorPage but I got an error showing that this method is for MVC, so I don't know if I have to continue with my research to work with this method.
Thanks!
You can try using Razor Pages authorization conventions in ASP.NET Core:
services.AddMvc()
.AddRazorPagesOptions(options =>
{
// options.Conventions.AuthorizePage("/Contact");
// options.Conventions.AuthorizeFolder("/Private");
options.Conventions.AllowAnonymousToPage("/Index");
// options.Conventions.AllowAnonymousToFolder("/Private/PublicPages");
})
// ...
;
I want to run a version consistency check between the website and database on every page in the software I work on to see whether one or the other is out of sync. (background: someone could upgrade while a user is using the software, so restricting the check to the sign in page isn't realistic - also why the check is required on any page in the software).
I am not in control of the deployment, as the customer hosts the software themselves on their own hardware.
The front-end is a mixture of asp.net pages and MVC4 (gradually replacing the aspx pages with MVC) , so I can't simply just run the check on Page_Load() in our inner and outer basepages and then have something different for our MVC pages - I would rather not duplicate code for each page type.
Having a look around, I have seen filters which exist for MVC which could be an option for those pages.
I've been investigating HttpHandlers and in theory could restrict the requests down to page load and not static content.
Is there an alternative/better way to do this server side check which would have the code in just one place and would affect both aspx pages and MVC?
Depending on what it should do when its passes the check or fails the check you could set up a new controller Version with an action Check
public class Version : Controller
{
public JsonResult Check() {
return new Json((GetWebsiteVersionNumber() == GetDatabaseVersionNumber()));
}
}
You can then call this endpoint from MVC using #Html.Action in _Layout or in another view and respond accordingly. On the Web Forms side you can then call this end point using the serverside WebRequest class and take appropriate action depending upon the response from your MasterPage PageLoad event or anywhere else you prefer.
Further you could call the endpoint from a common javascript file i(ncluded on both the WebForms and MVC client side includes) and using an AJAX request get the response and deal with it there also.
Excuse syntax errors as I was writing this off the top of my head.
Friends I am in trouble and need your help.
For database management in the admin section of my website I have few text fields where I would like to input data along with HTML tags.
As soon as i add any HTML tag such as < BR /> the SQLDATASOURCE Update gives an error "A potentially dangerous Request.Form value was detected from the client"
Already tried ValidateRequest="false" but it didnt work
Can not use AJAX Editor due to space issue.
<httpRuntime requestValidationMode="2.0" />
If i use httpRuntime requestValidationMode then it disable validation on the whole website making it open for hackers.
Friends how can i disable ValidateRequest only for specific page(s) in the admin section only
In .Net Framework 4.0, if you set requestValidationMode="2.0" in web.config, it doesn't means the whole site be will disabled for validation. It just changed back to 2.0 validation mode which validate only for .aspx pages. So you can apply validateRequest page driective attribute to false for the pages you want to disable after setting to 2.0 mode.
MSDN: requestValidationMode=2.0. Request validation is enabled only for pages, not for all HTTP requests. In addition, the request validation settings of the pages element (if any) in the configuration file or of the # Page directive in an individual page are used to determine which page requests to validate.
You can set an attribute on your controller methods or controller to disable the validationRequest
[ConfigurationPropertyAttribute("validateRequest", DefaultValue= false)]
You are missing the ValidateRequest="false" in your page directive
We've just upgraded to ASP.NET 4.0, and found that requestValidation no longer works. The MSDN docs suggest we need to set requestValidationMode in web.config to 2.0:
4.0 (the default). The HttpRequest object internally sets a flag that indicates that request validation should be triggered whenever
any HTTP request data is accessed. This guarantees that the request
validation is triggered before data such as cookies and URLs are
accessed during the request. The request validation settings of the
pages element (if any) in the configuration file or of the # Page
directive in an individual page are ignored.
2.0. Request validation is enabled only for pages, not for all HTTP requests. In addition, the request validation settings of the pages
element (if any) in the configuration file or of the # Page directive
in an individual page are used to determine which page requests to
validate.
This will work for us, however I'm a little puzzled. It seems that we're putting this into a legacy/compatibility mode. Surely it should be possible to have the 4.0 behaviour, but still have an option to turn this off on a page?
I found a way to achieve this without changing RequestValidationMode to 2.0 to the whole site:
You can crate a sub-directory for the page you want to disable the request validation and add a new web.config to this directory with RequestValidationMode set to 2.0, this way only this directory will work in 2.0 mode without affecting all other requests that will work in 4.0 mode.
I think you can add an location section to your main web.config specifying only one page, but I didn't tested this yet.
Something like this:
<location path="Admin/Translation.aspx">
<system.web>
<httpRuntime requestValidationMode="2.0"/>
</system.web>
</location>
Hope it helps you as helped me !
Your best bet is to override the requestValidationType with your own code:
<httpRuntime requestValidationType="YourNamespace.YourValidator" />
MSDN link
It appears that it is not possible to turn this on or off for a page in requestValidationMode 4.0.
This whitepaper outlines breaking changes in .Net 4.0, of which this seems to be one. Even the whitepaper suggests reverting back to requestValidationMode 2.0
To revert to the behavior of the ASP.NET 2.0 request validation feature, add the following setting in the Web.config file:
<httpRuntime requestValidationMode="2.0" />
Although it also helpfully recommends
that you analyze any request validation errors to determine whether existing handlers, modules, or other custom code accesses potentially unsafe HTTP inputs that could be XSS attack vectors.
without giving any guidance on how best to resolve these issues
Set requestValidationMode="0.0" to disable ASP.NET pages and HTTP requests validation.
Value 0.0 recognized in ASP.NET 4.6 and later. MSDN
<configuration>
<system.web>
<httpRuntime requestValidationMode="0.0" />
You can set ValidateRequest to false in the page directive:
<%# Page ValidateRequest="false" %>
I am using ASP.NET C#.
How do I implement URL re-writing procedure that is similar to StackOverflow.com?
http://stackoverflow.com/questions/358630/how-to-search-date-in-sql
Also, what is the meaning of values such as "358630" in the URL? Is this the question ID (the basis for which they use to fetch the data from the table)? Whatever it is, in my application I am identifying records using an "ID" field. This field is an identity column in an SQL table. Right now, my URLs are like the following:
http://myweb.com/showdetails.aspx?id=9872
But I'd like them to appear like:
http://myweb.com/showdetails/9872/my_question_title
Or:
http://myweb.com/9872/my_question_title
Or whatever the best way, which will taste good to search bots.
My application is hosted on Go Daddy's shared hosting service, and I feel that no customized ASP.NET "HTTP module" or no customized DLL for URL re-writing is working on their server. I tried many samples but no luck yet!
I found that Stack Overflow is hosted on Go Daddy (shared hosting?). Maybe Stack Overflow's method will work for me.
SO is using ASP.NET MVC. You really need to read in details how MVC URL rewriting works, but the gist of it is that the 'questions' part in the URL is the name of the Controller class (which roughly corresponds to the 'showdetails' in your URL) and the number is a ID parameter for the default action on that Controller (same as the parameter 'id' in your URL).
Since MVC isn't an option you can try redirecting the 404s. This will work in ASP.NET 1.1 and above: Redirect 404s and 405s to your own handler using either IIS config or web.config, parse out the request in the handler and redirect to the appropriate resource.
<configuration>
<system.web>
<customErrors mode="On" defaultRedirect="error.html">
<error statusCode="404" redirect="newHandler.aspx"/>
</customErrors>
</system.web>
</configuration>
Before the advent of System.Web.Routing, the common practice was to use UrlRewriter.NET. Worked well enough, but could bite you when configuring IIS. I'm not sure if there are any simple ways of using the new Routing classes in ASP.NET (i.e., drop it in and go vs. refactoring code).
please explain the meaning of values
such as "358630" in the URL
That is (presumably) the ID for the question in the database. In the MVC model
myurl.com/questions/358630
is analogous to
myurl.com/questions.aspx?id=358630
The question title on the end of the URL is actually being ignored by the app. It's generally "tacked on" for search engine optimization and human readability purposes. In fact, you can change the title of this question in the URL and notice the page still loads just fine.
The new System.Web.Routing dll is part of ASP.NET 3.5 SP1, and is bin deployable on ASP.NET 3.5, so you could use the features of that on a classic ASP.NET WebForms site.
You'll probably want to take note of Phil Haack's comments in his post on using MVC on IIS 6 as you'll probably need to include the .aspx extension in your routed urls
http://www.mysite.com/controler.aspx/action/id
You might also want to check out Questions Tagged SEO.
The ignored question name at the end of the url is often called a "Slug", and is used for SEO purposes to include the page title in the url.