0

I am getting this error "A potentially dangerous Request.Form value was detected from the client" when testing an input that is sent from the user to server via jQuery ajax. It only comes up when I intentionally put a single, double quote, html characters in the input ex "<s"c'o<>" as my username. but still , I want to be able to gracefully encode and decode any bad input the user tries to enter.

here is client side jquery

 var email = encodeURIComponent($('#loginEmail').val()); var password = encodeURIComponent($('#loginPassword').val()); $.ajax({ async: false, url: 'Account/CheckLogin', dataType: 'JSON', contentType: 'application/json', data: { email: email, password: password }, success: function (resp) { alert(resp.valid); if (resp.valid == "false") { isValid = false; $('.errorspan').show(); } } });

the controller code really isn't significant , since the error is thrown before it ever hits the first line's break point. It seems the Asp.net caught this trying to be passed as ajax before I get a chance to handle the code. My question is - why is this happening with the encodeUriComponent() ??

Improve this question
5
  • 5
    Every time when someone types $.ajax({ async: false... a cute little bunny dies somewhere maybe more...
    – kidwon
    CommentedMar 14, 2013 at 22:04
  • 1
    I absoolutely have to have it this way , this one time , sorry to all the bunnies
    – Scott Selby
    CommentedMar 14, 2013 at 22:06
  • does your call have to be a get? can it be a post?
    – Dave Alperovich
    CommentedMar 14, 2013 at 22:16
  • jQuery encodes the values for you, so if you pre-encode them, you're turning < into %3c, then jQuery is turning around and converting that into %253c (25 is the code for the percent symbol). So when it finally makes it to the server, the < won't be there for your code to look at - %3c will be. So I'd say don't try to encode yourself, but rather use MattW's suggestion about turning off validation, and let the framework handle the encoding.
    – Joe Enos
    CommentedMar 14, 2013 at 22:16
  • <, > get encoded by the call to encodeURIComponent, what characters are you sending to choke IIS?
    – Jason
    CommentedMar 14, 2013 at 22:26

1 Answer 1

Reset to default
1

You need to turn off server-side request validation, see for example here.

As for why it's happening? Microsoft has basically made the assumption that anyone who doesn't know how to turn off request validation also can't be trusted with data that might be harmful if roundtripped to a database and put back on the page without consideration of encoding. That's probably saved a lot of people from themselves over the years. URI-encoding doesn't "hide" the "dangerous" ' from .NET, at least in Firefox.

Improve this answer
9
  • turning off validation doesn't solve the problem, it sidesteps it while making the application less secure
    – Jason
    CommentedMar 14, 2013 at 22:19
  • It doesn't inherently make the application less secure, it merely transfers responsibility for security from the framework to the developer. URI-encoding the data doesn't make it any less "dangerous" than not doing so, even if it did actually work in getting rid of the problem, which it doesn't. The potential danger lies in what you do with the data after you have it in unencoded form, and that is the same whether it was passed straight through or encoded first and then decoded.
    – MattW
    CommentedMar 14, 2013 at 22:26
  • transferring responsibility to humans tends to be less secure
    – Jason
    CommentedMar 14, 2013 at 22:28
  • 1
    @MattW I'm with you - as long as you ALWAYS encode user-generated text when you display it, you're never at any risk, regardless of how the data was obtained. ASP.NET has actually made it really easy to do this, introducing <%: %> in ASP.NET 4.0 and making HTMLEncoding the default for Razor, where you have to specifically tell it if you don't want to encode text.
    – Joe Enos
    CommentedMar 14, 2013 at 22:33
  • 1
    I'm not going to turn of the built-in validatioin , but I figured it out from the comments , thanks
    – Scott Selby
    CommentedMar 15, 2013 at 2:50

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.