When I submit HTML characters to my form, why does ASP.NET throw an internal server error (500)?

Question

When I submit HTML characters to my form, why does ASP.NET throw an internal server error (500)?

When I put HTML characters in my form, for example <br />, ASP.NET throws an internal 500 exception, as described here .

A potentially dangerous Request.Form value was detected from the client (Name="<br />").

Well, that’s why it protects me from unencrypted characters that could be used for malicious reasons.

The problem is that this is nowhere in my long search, this is what needs to be done. That is, my application should not just throw a general internal server error when a user enters bad characters (what if they draw an arrow such as <-).

It’s best to just go back to the error page ModelStatethat says: “Please don't use HTML characters” or something meaningful.

But how to achieve this? Error before it gets into my code. In addition, I don’t want to just disable it through validateRequest="false", and then check each form in my application for HTML characters and return an error.

Is there a way to leave this type of validation enabled, but just handle it differently?

Code for explanation:

Model

Public Class SomeModel
    Public Property SomeField As String
End Class

Controller

<HttpPost>
Function SomeController(ByVal model As SomeModel)
    ' model.SomeField contains some HTML characters :O
    ' but it doesn't matter, since an internal error has occured :(
End Function

+5

validation vb.net asp.net asp.net-mvc character-encoding

Rowan freeman Mar 12 '13 at 4:08

source share

4 answers

AllowHtml ?

+2

Pablo Romeo 12 . '13 5:03

, , .

, , , - - <%:% > asp.net, HTML-. , , , HTML, , .

+1

Ryanherbert Mar 12 '13 at 20:01

source share

To enable limited input in the model, use the AllowHtmlAttribute property in the model property. This is the first step.

Then create a custom validator or use the RegularExpressionAttribute parameter to check the input to your spec.

Or, if you want the user to enter restricted characters, use HttpUtility.HtmlEncode to encode the value.

0

traceagent Mar 12 '13 at 5:23

source share

nunespascal · Accepted Answer · 2013-03-12T05:19:50+0000

You may be able to show your error page with any message that you consider necessary.
For this you use customError pages.

You can configure these error pages to display the corresponding error code.

<configuration>
   <system.web>
      <customErrors mode="RemoteOnly" redirectMode="ResponseRewrite" 
                    defaultRedirect="GenericError.htm">
         <error statusCode="500" redirect="InternalError.aspx"/>
      </customErrors>
   </system.web>
</configuration>

Display custom error page

Server.GetLastError() , , , html- -.

When I submit HTML characters to my form, why does ASP.NET throw an internal server error (500)?

More articles: