Disabling input validation in MVC2 using ASP.NET 4.0 (Part II) 

Tags: .NET

This is the second part of “Disabling input validation in MVC2 using ASP.NET 4.0”, in the first part we saw how to disable the input validation, to upload, for example, html code.

The problem with that is that we disabled the validation for all fields in the form, so all the other fields (that might not contain html) can be “hacked” with html code if you don’t notice.

So we need to protect them, and to be consistent with the rest of your application, let’s use the validation provide for ASP.NET by default.

If you use .NET Reflector, you’ll see that the input validation in ASP.NET 4.0 is done by the RequestValidator class, and by the protected “IsValidRequestString” Method, so we’ll create an inherited class called “CustomRequestValidator”:

  1. internal class CustomRequestValidator : System.Web.Util.RequestValidator
  2.     {
  3.         /// <summary>
  4.         /// Validates a form parameter
  5.         /// </summary>
  6.         /// <param name="formParameter">The name of the parameter</param>
  7.         /// <returns></returns>
  8.         public bool IsValidFormParameter(string formParameter)
  9.         {
  10.             string fieldValue = HttpContext.Current.Request.Form[formParameter];
  11.             int validationFailureIndex = 0;
  12.             return base.IsValidRequestString(HttpContext.Current, fieldValue,
  13.                 System.Web.Util.RequestValidationSource.Form, formParameter,
  14.                 out validationFailureIndex);
  15.         }
  16.  
  17.         /// <summary>
  18.         /// Validates a querystring parameter
  19.         /// </summary>
  20.         /// <param name="formParameter">The name of the parameter</param>
  21.         /// <returns></returns>
  22.         public bool IsValidQueryStringParameter(string formParameter)
  23.         {
  24.             string fieldValue = HttpContext.Current.Request.QueryString[formParameter];
  25.             int validationFailureIndex = 0;
  26.             return base.IsValidRequestString(HttpContext.Current, fieldValue,
  27.                 System.Web.Util.RequestValidationSource.QueryString, formParameter,
  28.                 out validationFailureIndex);
  29.         }
  30.     }

As you can see we created two methods, one to validate form parameters and another to validate querystring ones.

So in our controller we just need to insert a code like this, to validate all parameters but the “html-ed” one:

 

  1. /// <summary>
  2.         /// Validates form input
  3.         /// </summary>
  4.         private void CustomValidateRequest()
  5.         {
  6.             string campoHtml = "Description";
  7.  
  8.             WandauRequestValidator reqVal = new WandauRequestValidator();
  9.             NameValueCollection nvCol = HttpContext.Request.Form;
  10.             foreach (string key in nvCol.AllKeys)
  11.             {
  12.                 if (!String.Equals(campoHtml, key, StringComparison.InvariantCultureIgnoreCase) &&
  13.                     !reqVal.IsValidFormParameter(key))
  14.                 {
  15.                     ModelState.AddModelError(key, "The field has invalid chars");
  16.                 }                
  17.             }
  18.         }

Note that the html-ed parameter is description and when we find an invalid input we add a model error instead of throwing an exception, so the page validation can alert the user of the misuse of the field.

Hope it helps!

 
Published by Enrique Blanco  21-Feb-10
0 Comments  |  Trackback Url
 

Comentarios

You can comment here:
Use <br/> for linebreaks.

Nombre:
URL:
Email:
Comentarios:
CAPTCHA Image Validation