ASP.NET MVC ValidateInput(false) stops working with xVal and [RegularExpression] DataAnnotation

StackOverflow https://stackoverflow.com/questions/1038102

Question

I would like to intercept the "<" character in the form field by a regex validator. I will describe the problem in 3 steps:

Step 1: When I try to submit a form with a field containing the "<" character, I get the "Potentially dangerous request..." - as expected in ASP.NET.

Step 2: To avoid ASP.NET's RequestValidation, I decorate my Update method in the controller with "[ValidateInput(false)]".

It works as expected - now I can post "<" character without error.

Step 3: I use xVal with DataAnnotations. For example, [Required] or [StringLength(255)] works as expected.

BUT when I use: [RegularExpression("^[^<>]*$", ErrorMessage = "Special characters are not allowed.")], I get the "Potentially dangeros request..." error again, despite the [ValidateInput(false)] directive.

What's happening? Is there a simpler way for regex validaton, but with [ValidateInput(false)] in place? Of course, I'd like to have my validation code in the model, not in the controller.

Was it helpful?

Solution

No, it was an issue in MVC 1 + xVal. In MVC 2 the validation works as supposed (and there's no need for xVal anymore) – Alex42

Looks like the bot keeps on pushing this one to the top still. Could you mark an answer as accepted so that it knows?

OTHER TIPS

I'm using xVal & nhibernate.validator and i tried to reproduce this behavior but because the validator is tied into the client side I couldn't get a value of past the client side validation. when i disabled javascript, it got to the server side validation, and was caught by the regular expression validator.

I tried the same thing with using the data annotations validation attributes and model binder and it made it past as well.

there must be something else going on that is causing the error. Sorry I couldn't be more helpful!

Try validating using a simple rule with this method. This can at least eliminate xVal from the equation. If the problem persists then i'd suggest it's related to either:

  • the implementation of MVC's default Model Binder
  • or there is a problem with the MVC view engine in the release your using that's somehow allowing an exception to be made for the attribute you specified by validating the < when it shoudn't be

if it just a field, you could just write a routine to look for a character '< or >' and remove it. you can achieve this by by making use of substring. hope this this helps

  • use For loop to length of text to be tested (for (int i=1, i <= text.length, ++))
  • verify each character begining 1 (e.g ch = text.substring(i,1)
  • add each read character to tmp string except '< or >'

I suppose the static method Escape() would solve this for you.

  Regex r = new Regex(Regex.Escape(expression));

Put this line in web.config

<httpRuntime requestValidationMode="2.0" />

This is change in ASPNET 4.0

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top