Hi Team,
I use WebGrid on my page. The grid has sorting and paging ability. Additionally to it the page has filtering feature. Http-Get is used for sorting, paging and filtering. "q" parameter in Query string is for filtering.
If '&q=%3Cs' is present then the HttpRequestValidationException is thrown: A potentially dangerous Request.QueryString value was detected from the client (q="<s").
It is thrown during the model binding.
I added [AllowHtml] to my model property and now the model binding is fine, but the HttpRequestValidationException is thrown again during creating sort urls for WebGrid.
So, as for my understanding, the defect is that WebGrid enumerates all QueryString parameter regardless parameter is used for grid needs or not.
Attached is the simple project that can help to reproduce this defect. (VS2010, .Net4, MVC4)
Steps to reproduce:
1. Use WebGrid in Controller and View;
2. Enable Sorting;
3. Use url to navigate to page http://localhost:52175/Home/Index?sort=Name&sortdir=ASC&ANY_PARAMETER=%3Csomething
Expected result: no exception
Detailed exception info:
Server Error in '/' Application.
--------------------------------------------------------------------------------
A potentially dangerous Request.QueryString value was detected from the client (q="<s").
Description: ASP.NET has detected data in the request that is potentially dangerous because it might include HTML markup or script. The data might represent an attempt to compromise the security of your application, such as a cross-site scripting attack. If this type of input is appropriate in your application, you can include code in a web page to explicitly allow it. For more information, see http://go.microsoft.com/fwlink/?LinkID=212874.
Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.QueryString value was detected from the client (q="<s").
Source Error:
Line 9: title</h2>
Line 10: @{
Line 11: @webGrid.GetHtml(
Line 12: columns:
Line 13: webGrid.Columns(
Source File: c:\_Test\WebGridException\WebGridException\Views\Home\Index.cshtml Line: 11
Stack Trace:
[HttpRequestValidationException (0x80004005): A potentially dangerous Request.QueryString value was detected from the client (q="<s").]
System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +9665149
System.Web.<>c__DisplayClass5.<ValidateHttpValueCollection>b__3(String key, String value) +18
System.Web.HttpValueCollection.EnsureKeyValidated(String key) +9664565
System.Web.HttpValueCollection.GetValues(Int32 index) +29
System.Collections.Specialized.NameValueCollection.Add(NameValueCollection c) +84
System.Collections.Specialized.NameValueCollection..ctor(NameValueCollection col) +71
System.Web.Helpers.WebGrid.GetPath(NameValueCollection queryString, String[] exclusions) +63
System.Web.Helpers.WebGrid.GetSortUrl(String column) +322
System.Web.Helpers.<>c__DisplayClass4.<Table>b__3(TextWriter __razor_helper_writer) +811
System.Web.WebPages.HelperResult.ToString() +82
System.Web.WebPages.HelperResult.ToHtmlString() +9
System.Web.HttpUtility.HtmlEncode(Object value) +38
System.Web.WebPages.WebPageBase.Write(Object value) +68
ASP._Page_Views_Home_Index_cshtml.Execute() in c:\_Test\WebGridException\WebGridException\Views\Home\Index.cshtml:11
System.Web.WebPages.WebPageBase.ExecutePageHierarchy() +197
System.Web.Mvc.WebViewPage.ExecutePageHierarchy() +97
System.Web.WebPages.WebPageBase.ExecutePageHierarchy(WebPageContext pageContext, TextWriter writer, WebPageRenderingBase startPage) +76
System.Web.Mvc.RazorView.RenderView(ViewContext viewContext, TextWriter writer, Object instance) +260
System.Web.Mvc.BuildManagerCompiledView.Render(ViewContext viewContext, TextWriter writer) +115
System.Web.Mvc.ViewResultBase.ExecuteResult(ControllerContext context) +295
System.Web.Mvc.ControllerActionInvoker.InvokeActionResult(ControllerContext controllerContext, ActionResult actionResult) +13
System.Web.Mvc.<>c__DisplayClass1a.<InvokeActionResultWithFilters>b__17() +23
System.Web.Mvc.ControllerActionInvoker.InvokeActionResultFilter(IResultFilter filter, ResultExecutingContext preContext, Func`1 continuation) +242
System.Web.Mvc.<>c__DisplayClass1c.<InvokeActionResultWithFilters>b__19() +21
System.Web.Mvc.ControllerActionInvoker.InvokeActionResultWithFilters(ControllerContext controllerContext, IList`1 filters, ActionResult actionResult) +177
System.Web.Mvc.Async.<>c__DisplayClass2a.<BeginInvokeAction>b__20() +89
System.Web.Mvc.Async.<>c__DisplayClass25.<BeginInvokeAction>b__22(IAsyncResult asyncResult) +102
System.Web.Mvc.Async.WrappedAsyncResult`1.End() +57
System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult) +43
System.Web.Mvc.<>c__DisplayClass1d.<BeginExecuteCore>b__18(IAsyncResult asyncResult) +14
System.Web.Mvc.Async.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) +23
System.Web.Mvc.Async.WrappedAsyncResult`1.End() +62
System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) +57
System.Web.Mvc.Async.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) +23
System.Web.Mvc.Async.WrappedAsyncResult`1.End() +62
System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) +47
System.Web.Mvc.Controller.System.Web.Mvc.Async.IAsyncController.EndExecute(IAsyncResult asyncResult) +10
System.Web.Mvc.<>c__DisplayClass8.<BeginProcessRequest>b__3(IAsyncResult asyncResult) +25
System.Web.Mvc.Async.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) +23
System.Web.Mvc.Async.WrappedAsyncResult`1.End() +62
System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +47
System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result) +9
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +9629708
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +155
--------------------------------------------------------------------------------
Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.17929
Thanks for creating and supporting MVC 4
--
Sergiy Zinovyev
I use WebGrid on my page. The grid has sorting and paging ability. Additionally to it the page has filtering feature. Http-Get is used for sorting, paging and filtering. "q" parameter in Query string is for filtering.
If '&q=%3Cs' is present then the HttpRequestValidationException is thrown: A potentially dangerous Request.QueryString value was detected from the client (q="<s").
It is thrown during the model binding.
I added [AllowHtml] to my model property and now the model binding is fine, but the HttpRequestValidationException is thrown again during creating sort urls for WebGrid.
So, as for my understanding, the defect is that WebGrid enumerates all QueryString parameter regardless parameter is used for grid needs or not.
Attached is the simple project that can help to reproduce this defect. (VS2010, .Net4, MVC4)
Steps to reproduce:
1. Use WebGrid in Controller and View;
2. Enable Sorting;
3. Use url to navigate to page http://localhost:52175/Home/Index?sort=Name&sortdir=ASC&ANY_PARAMETER=%3Csomething
Expected result: no exception
Detailed exception info:
Server Error in '/' Application.
--------------------------------------------------------------------------------
A potentially dangerous Request.QueryString value was detected from the client (q="<s").
Description: ASP.NET has detected data in the request that is potentially dangerous because it might include HTML markup or script. The data might represent an attempt to compromise the security of your application, such as a cross-site scripting attack. If this type of input is appropriate in your application, you can include code in a web page to explicitly allow it. For more information, see http://go.microsoft.com/fwlink/?LinkID=212874.
Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.QueryString value was detected from the client (q="<s").
Source Error:
Line 9: title</h2>
Line 10: @{
Line 11: @webGrid.GetHtml(
Line 12: columns:
Line 13: webGrid.Columns(
Source File: c:\_Test\WebGridException\WebGridException\Views\Home\Index.cshtml Line: 11
Stack Trace:
[HttpRequestValidationException (0x80004005): A potentially dangerous Request.QueryString value was detected from the client (q="<s").]
System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +9665149
System.Web.<>c__DisplayClass5.<ValidateHttpValueCollection>b__3(String key, String value) +18
System.Web.HttpValueCollection.EnsureKeyValidated(String key) +9664565
System.Web.HttpValueCollection.GetValues(Int32 index) +29
System.Collections.Specialized.NameValueCollection.Add(NameValueCollection c) +84
System.Collections.Specialized.NameValueCollection..ctor(NameValueCollection col) +71
System.Web.Helpers.WebGrid.GetPath(NameValueCollection queryString, String[] exclusions) +63
System.Web.Helpers.WebGrid.GetSortUrl(String column) +322
System.Web.Helpers.<>c__DisplayClass4.<Table>b__3(TextWriter __razor_helper_writer) +811
System.Web.WebPages.HelperResult.ToString() +82
System.Web.WebPages.HelperResult.ToHtmlString() +9
System.Web.HttpUtility.HtmlEncode(Object value) +38
System.Web.WebPages.WebPageBase.Write(Object value) +68
ASP._Page_Views_Home_Index_cshtml.Execute() in c:\_Test\WebGridException\WebGridException\Views\Home\Index.cshtml:11
System.Web.WebPages.WebPageBase.ExecutePageHierarchy() +197
System.Web.Mvc.WebViewPage.ExecutePageHierarchy() +97
System.Web.WebPages.WebPageBase.ExecutePageHierarchy(WebPageContext pageContext, TextWriter writer, WebPageRenderingBase startPage) +76
System.Web.Mvc.RazorView.RenderView(ViewContext viewContext, TextWriter writer, Object instance) +260
System.Web.Mvc.BuildManagerCompiledView.Render(ViewContext viewContext, TextWriter writer) +115
System.Web.Mvc.ViewResultBase.ExecuteResult(ControllerContext context) +295
System.Web.Mvc.ControllerActionInvoker.InvokeActionResult(ControllerContext controllerContext, ActionResult actionResult) +13
System.Web.Mvc.<>c__DisplayClass1a.<InvokeActionResultWithFilters>b__17() +23
System.Web.Mvc.ControllerActionInvoker.InvokeActionResultFilter(IResultFilter filter, ResultExecutingContext preContext, Func`1 continuation) +242
System.Web.Mvc.<>c__DisplayClass1c.<InvokeActionResultWithFilters>b__19() +21
System.Web.Mvc.ControllerActionInvoker.InvokeActionResultWithFilters(ControllerContext controllerContext, IList`1 filters, ActionResult actionResult) +177
System.Web.Mvc.Async.<>c__DisplayClass2a.<BeginInvokeAction>b__20() +89
System.Web.Mvc.Async.<>c__DisplayClass25.<BeginInvokeAction>b__22(IAsyncResult asyncResult) +102
System.Web.Mvc.Async.WrappedAsyncResult`1.End() +57
System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult) +43
System.Web.Mvc.<>c__DisplayClass1d.<BeginExecuteCore>b__18(IAsyncResult asyncResult) +14
System.Web.Mvc.Async.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) +23
System.Web.Mvc.Async.WrappedAsyncResult`1.End() +62
System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) +57
System.Web.Mvc.Async.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) +23
System.Web.Mvc.Async.WrappedAsyncResult`1.End() +62
System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) +47
System.Web.Mvc.Controller.System.Web.Mvc.Async.IAsyncController.EndExecute(IAsyncResult asyncResult) +10
System.Web.Mvc.<>c__DisplayClass8.<BeginProcessRequest>b__3(IAsyncResult asyncResult) +25
System.Web.Mvc.Async.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) +23
System.Web.Mvc.Async.WrappedAsyncResult`1.End() +62
System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +47
System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result) +9
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +9629708
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +155
--------------------------------------------------------------------------------
Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.17929
Thanks for creating and supporting MVC 4
--
Sergiy Zinovyev