How to check the data from the client?

D

Dmitry Filandor2014-12-25 10:25:07

ASP.NET

Dmitry Filandor, 2014-12-25 10:25:07

Hello!
I have users write posts to their blogs, write articles in an html editor, html text goes to the database, a post creation controller:

[HttpPost]
        [ValidateAntiForgeryToken()]      
        public JsonResult CreateRecordBlog(BusinessLayer.Record.Record recordBL)
        {
...

article model:

[Required]
        [AllowHtml]
        [StringLength(5000, ErrorMessage = "Размер записи должен быть минимум 200 знаков и максимум 5000.", MinimumLength = 200)]
        public string Text { get; set; }
...

as you can see html text is allowed.
I recently updated the asp version, well, I didn’t touch anything else except for updating the packages. When publishing a record, everything is ok on the locale, it is published, and on the server this is the exception:
A potentially dangerous Request.Form value received from the client (Text="
vyyyyyyyyyyav
...") was detected.
vyayyyyyyyyav - this is a test to be published. I reviewed everything, it doesn’t publish even a crack, but on the locale (the locale is configured for the combat database on the host) everything works.
As a result, I had to hang on the record creation controller:
[ValidateInput(false)]
now works, but how did it work before? And as I understand it, this is a security hole, now you can record all sorts of filth, a script, etc.