OutputCache and A potentially dangerous Request

Question

OutputCache and A potentially dangerous Request

I have enabled OutputCache, and are using the following attributes:

[OutputCache]
[ValidateInput(false)]

But I'm getting the following error:

[HttpRequestValidationException (0x80004005): A potentially dangerous Request.QueryString value was detected from the client (pool="lger<br />/for...").]
System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +11933898
System.Web.HttpValueCollection.EnsureKeyValidated(String key) +11932776 System.Web.HttpValueCollection.Get(String name) +23 System.Web.Caching.OutputCacheModule.CreateOutputCachedItemKey(String path, HttpVerb verb, HttpContext context, CachedVary cachedVary) +880 System.Web.Caching.OutputCacheModule.OnLeave(Object source, EventArgs eventArgs) +803
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +142 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +92

Why is this happening? I don't get why the OutputCachedItemKey needs to validated? Any way how to disable this?

Note that it only goes wrong with enabling the OutputCache.

Without everything works fine.

Update It seems really easy reproduciable:

Start new ASP.NET Project with ASP.NET MVC template (4.5.2)
Add [OutputCache( Duration = 1)]
run http://localhost:(port)/?test=%3Cscript%3E

Result: Potentially dangerous request, despite that you do anything with this parameter.

c#

asp.net

.net

asp.net-mvc

outputcache

asked on Stack Overflow Mar 25, 2016 by

Dirk Boer • edited Mar 25, 2016 by

Dirk Boer

3 Answers

The issue happens because the client passed in pool="lger<br /> to the Query String. Notice the HTML character <br />, this can be considered an XSS attack and the framework handles this for you by default.

You want to keep this security enabled, imagine if the client passed up

"<script type='javascript'>//Nasty code</script>"

As part of the query string, it could be reflected or persisted to the users of your system.

You can also add the MVC attribute AllowHtml.

public class Model
{
   [AllowHtml]
   public string Pool { get; set; }
}

However, if you really want to disable Request Validation (Not recommended) then you can do so via the web.config

<system.web>
  <httpRuntime requestValidationMode="2.0" />
</system.web>

answered on Stack Overflow Mar 25, 2016 by

Darren • edited Mar 25, 2016 by

Darren

It looks like you need to be using the [AllowHtml] attribute.

See here for reference.

By default, the ASP.NET MVC framework checks requests during model binding to determine whether they contain potentially dangerous content as HTML markup. If HTML is detected, model binding throws an error. If a property is marked with the AllowHtmlAttribute attribute, the ASP.NET MVC framework skips validation for that property during model binding.

answered on Stack Overflow Mar 25, 2016 by

zgood

The reason for the error is that OutputCachedItemKey tries to create a unique identifier for the request which includes parameter information. Doing this calls ValidateString which leads to the exception for values that are considered dangerous.

That said, I don't have a real solution either. However, if the goal is to disable caching for the action entirely this attribute should work

[OutputCache(Duration = 0, VaryByContentEncoding = null, VaryByCustom = null, VaryByHeader = null, VaryByParam = null)]

answered on Stack Overflow Sep 25, 2020 by

Paul B.

User contributions licensed under CC BY-SA 3.0