Selectively Turning off Request Validation of Masterpages in Umbraco to Allow Posting of Markup via MVC Controllers
Request validation does a lot to protect your web application from abuse such as SQL and XSS injections. However, there are some select cases in which you may wish to allow users ot post markup to your websites MVC Controllers or WebForms. For example, suppose you had a richtext form as part of a customer profile you wish to allow users to edit and save. Saving their profile will lead to markup being posted in the data, which in turn will lead to a “A potentially dangerous ... value was detected from the client” exception without some minor configuration tweaks. However, you don't really wish to 'turn off all validation for your web application' as this will likely open it up to abuse in ways you might not have imagined when coding it! So how can safely achieve this with an Umbraco site?
Fortunately, there are a numer of ways to do this and we will structure these by WebForms and MVC to show you what options you have for your project!
WebForms - Umbraco Masterpages
There is a neat way you can turn off request validation including a particular Umbraco directive within the masterpage which needs to be placed within a content area:
<umbraco:DisableRequestValidation runat="server" />
WebForms - .NET Masterpages
Separately, using a base .NET feature you can include within ASPX masterpages which will have the same desired effect (does not require Umbraco):
<%@ Page validateRequest="false" %>
MVC controllers are a different matter, while the posting of keys that include markup will not be an issue, reading them back will be! Luckily, you don't need to change any configuration for this to work, and can be more selective about what you let through. Typically, if you wanted to read a posted Form key or QueryString key in code (with an HTTPContext) you can do something like:
However, if your form data includes markup, attempting to read this property from these objects will lead to a validation exception. However, you have another (unsanitised) version of these dictionary keys available to you:
This way, you can read the markup only from the fields you expect it to be in, not needing to allow all requests for a particular template, page or route through to your application.
Need an Umbraco Master?
Here at Simon Antony, we have an in house certified Umbraco Grand Master available for hire. Got a problem with your site, need architecture advice, give us a call to speak to Simon directly and see how we can helpContact Simon Today!