I have enabled OutputCache, and are using the following attributes:
[OutputCache]
[ValidateInput(false)]
But I'm getting the following error:
[HttpRequestValidationException (0x80004005): A potentially dangerous Request.QueryString value was detected from the client (pool="lger<br />/for...").]
System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +11933898
System.Web.HttpValueCollection.EnsureKeyValidated(String key) +11932776 System.Web.HttpValueCollection.Get(String name) +23 System.Web.Caching.OutputCacheModule.CreateOutputCachedItemKey(String path, HttpVerb verb, HttpContext context, CachedVary cachedVary) +880 System.Web.Caching.OutputCacheModule.OnLeave(Object source, EventArgs eventArgs) +803
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +142 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +92
Why is this happening? I don't get why the OutputCachedItemKey needs to validated? Any way how to disable this?
Note that it only goes wrong with enabling the OutputCache.
Without everything works fine.
Update It seems really easy reproduciable:
[OutputCache( Duration = 1)]
Result: Potentially dangerous request, despite that you do anything with this parameter.
The issue happens because the client passed in pool="lger<br />
to the Query String. Notice the HTML character <br />
, this can be considered an XSS attack and the framework handles this for you by default.
You want to keep this security enabled, imagine if the client passed up
"<script type='javascript'>//Nasty code</script>"
As part of the query string, it could be reflected or persisted to the users of your system.
You can also add the MVC attribute AllowHtml
.
public class Model
{
[AllowHtml]
public string Pool { get; set; }
}
However, if you really want to disable Request Validation (Not recommended) then you can do so via the web.config
<system.web>
<httpRuntime requestValidationMode="2.0" />
</system.web>
It looks like you need to be using the [AllowHtml]
attribute.
See here for reference.
By default, the ASP.NET MVC framework checks requests during model binding to determine whether they contain potentially dangerous content as HTML markup. If HTML is detected, model binding throws an error. If a property is marked with the AllowHtmlAttribute attribute, the ASP.NET MVC framework skips validation for that property during model binding.
The reason for the error is that OutputCachedItemKey
tries to create a unique identifier for the request which includes parameter information. Doing this calls ValidateString
which leads to the exception for values that are considered dangerous.
That said, I don't have a real solution either. However, if the goal is to disable caching for the action entirely this attribute should work
[OutputCache(Duration = 0, VaryByContentEncoding = null, VaryByCustom = null, VaryByHeader = null, VaryByParam = null)]
User contributions licensed under CC BY-SA 3.0