ASP.NET MVC Disable Request Validation

Posting kali ini sekedar sharing info saja.. Siapa tau temen temen pernah atau sedang mengalami kasus yang sama dengan yang sama alami ini.

Jadi begini ceritanya… Saya sedang develop aplikasi menggunakan Asp.Net MVC. Nah.. kemudian ada bagian yang menampung input dari user menggunakan text editor WYSIWYG, text editor yang digunakan itu tinyMCE. Pada saat akan menyimpan ke database muncul error seperti kira kira seperti ini…

A potentially dangerous Request.Form value was detected from the client (html=”<p>Anu anuanua…</p><br/>

Ditolak oleh object Request yang memang secara default validate request enable. Aahh.. iya saya lupa nge-set ValidateRequest = false. Kemudian saya tambahkan konfigurasi ValidateRequest di Web.config, lalu saya coba lagi dan ternyata masih muncul error yang sama. Kok gak ngaruh? Kemudian cari sana cari sini, tanya sana tanya sini.. Ternyata Asp.Net MVC agak berbeda cara menghandle validate request. Menurut artikel ini katanya begini..

Unlike a Web Forms application, you cannot disable request validation by using the <%@ Page ValidateRequest=”false” %> directive. You also cannot disable request validation in the web configuration (web.config) file. If you want to disable request validation then you must use the [ValidateInput] attribute.

Oohh begitu ternyata.. trus gimana caranya apply atribut ValidateInput ke method di Controller? Masih menurut artikel yang sama.. Begini nih caranya…

[c#]

[ValidateInput(false)]
public ActionResult SaveNotes(FormCollection forms)
{
SqlConnection dObjConnection = new SqlConnection();
clsDataServiceOperator objNotes;

String dStrErrMsg = “”;
String dStrTotalErrMsg = “”;
bool dBoolSucceed = false;
bool flagStatus = true;
bool flagBlob = true;

clsRowSet dobjRowSet;
SqlTransaction dObjTransaction;

……………save the notes……..

}

[/c#]

Selesai tambahkan atribut [ValidateInput(false)] pada method yang handle Request tadi.. Semua beres res res… (dance)

Kasus yang sama juga ada di forum asp.net, dan solusi yang digunakan juga sama. Berikut ini link yang jadi referensi..

• http://forums.asp.net/t/1377500.aspx
• http://forums.asp.net/t/1376849.aspx
• http://stephenwalther.com/blog/archive/2009/02/20/tip-48-ndash-disable-request-validation.aspx

Di forum juga ada yang bilang begini nih… Nice info..

In MVC, request validation has to be done at the controller level instead of at the page level because the controller is processing input, not the page.  If request validation were done at the page level, then the controller would happily process malicious input (and potentially commit it to the database!) before the validation check ever took place.

By default, all controllers perform validation after the authorization filters have run.  If you want to disable validation per-controller or per-action, decorate the type or method with the [ValidateInput(false)] attribute.

Since the controller is now responsible for validation, it doesn’t make sense for the page to do it, so the default Web.config sets the page’s ValidateRequest setting to false.  This setting only affects pages; the controller does not have the necessary permission to read this from Web.config.  If we didn’t make this change to Web.config, then for any controller or action where you want to suppress request validation, you’d also have to do it at the page level or else you’ll see exceptions.  It’s annoying and counterintuitive to have to suppress it twice, and the check is done before the page loads anyway, so we just suppress it at the page level by default.  The first check (at the controller) level is still performed.

Okay.. Case closed.. Mari kita coding lagih… (rock)