Validate Request in MVC5 - web-config

I am getting excpetions in MVC5 while uploading HTML Content. I have specified [HttpPost, ValidateInput(false)] on my ActionMethod as well as specified httpRuntime requestValidationMode="2.0" in the web.config of my application but still it is throwing exceptions. Any suggestions to fix this issue?

I solved it by marking the Controller with ValidateInput(false)

Related

Need to preserve HTTP status code when using httpErrors custom 404 error using responseMode executeURL on Azure App Service IIS

I want to have all missing content/"bad" URLs redirect to our custom 404.html error page.
This is important for accurately recording 404 errors in Google Analytics.
The issue is that when the responseMode=ExecuteURL flag is set, then the custom error does not preserve the 404 status code, but always shows a 200 code. I can change this to responseMode=Redirect, but this then shows a 302 status code, before redirecting to the custom 404.html page.
All of this DOES work with a "File" flag set on the httpError… just not with the "ExecuteURL" flag which is required for our server-side Perl includes used to present Header/Footer page elements.
Ideally, we should be able to use the Azure App Service IIS web.config to set a custom error to:
always preserve/show the requested (missing) URL request in address bar (and dev tools)
always preserve/show the "real" HTTP status code (404) in the dev tools
allow the use of server-side includes to update header/footer elements using our current Perl setup
The below code works to preserve the requested URL in address bar, correctly shows the custom 404.html page with server-side header/footer content, BUT loses the 404 status code in dev tools (and Google Analytics)...
<httpErrors>
<remove statusCode="404" subStatusCode="-1" />
<error statusCode="404"
responseMode="ExecuteURL"
path="/404.html" />
</httpErrors>
Changing to responseMode="Redirect" only changes the status code to 302 before redirecting to custom 404.html...
If I change to use responseMode="File" this all works fine, but I then lose the custom server-side header and footers which are handled with Perl server-side includes...
EDIT:
To be clear, the custom 404 page is all HTML and Javascript, but also leverages some very old Perl server-side includes to add custom header and footer elements to the page. We are not using any .NET framework or .NET core pages...
This arrangement should be possible, but perhaps only with a different web server, not IIS? nginx, perhaps?
FINAL UPDATE:
Not a full answer, but our near-term resolution was to use nginx proxy configuration (which was already present and could be altered in nginx.conf) to preserve 404 error codes and present the proper custom 404.html static file.
I was also able to do this with Docker and nginx, so I know it is possible for a web server to deal with this situation...
I've determined that AFAICT there is no way for IIS web.config to handle this without using server-side code as Jason Pan suggested. So while he may be correct, that answer was not helpful for our needs.
UPDATE
When you use httpErrors in web.config, it must have code in your project to handle 400 and 500 in server side.
Due to your project just static web app, and no sever side code. So I suggest you can use hard code in httpErrors.
Like,
<error statusCode="404" responseMode="ExecuteURL" path="/404.html?httpcode=404" />.
The tag of httpErrors is used in servers such as iis. The 404 and 500 errors you want can’t be displayed directly in the browser. Because the httpErrors tag is used, the server will process everything and return it to the browser, so the HttpStaus you get is always 200.
PRIVIOUS
I probably know your question. Your program is .net framework or .net core, it is not clear for the time being. But I see the configuration tags in the web.config file.
In principle, the wrong request arrives at IIS and other servers, and the code level has processed 404 and other errors, so the returned HttpStatus value must be 200. There is no way to change it, but when a 404 or 500 error occurs, we can Processing and recording in Application_Error can also achieve the purpose you want to analyze.
So I tested it and based on the .net framework, you can download my sample code on github and give the following suggestions.
1. Add the Application_Error method to the Global.asax.cs file.
2. According to the Application_Error method, add an Error Controller.
3. Perform the test and the result is shown in the screenshot.
After decode the message. The content is
The controller for path '/a/b' was not found or does not implement IController..
We can custom error msg in Application_Error function. We can append HttpCode and other info.
Hi i found this workaround(ASP NET WebForms)
Web Config
<httpErrors errorMode="Custom" existingResponse="Replace">
<remove statusCode="404" subStatusCode="-1" />
<error statusCode="404" path="/ErrorDefault.aspx?httpcode=404" responseMode="ExecuteURL" />
<remove statusCode="500" subStatusCode="-1" />
<error statusCode="500" path="/ErrorDefault.aspx?httpcode=500" responseMode="ExecuteURL" />
</httpErrors>
ErrorDefault.cs > Page Load
var httpCode = Request.QueryString["httpcode"];

Northwind OData service Not Availbe?

Trying to use Northwind oData Service but not data is returned, previously this was working.
when I check the connection I get the following message:
Connection to "Northwind" established. Response returned: "301: Moved
Permanently"
Any suggestions on how to resolve greatly appreciated.
I just faced a similar situation right now.
Most likely you are using the link without the secure protocol.
Try using https://services.odata.org instead of http://services.odata.org.
I saw old configurations pointing to the wrong URL, but after changing to the secure protocol the problem was solved.
Kindly check out the URL :
https://services.odata.org/V2/Northwind/Northwind.svc/$metadata
NorthWind ODATA Service is working
https://services.odata.org/V2/Northwind/Northwind.svc/Categories?$format=json.

PUT method error code 405(method not allowed) in restful service URL using VS2013 and IIS Express 8

I am using PUT for a method in RESTful service its throwing error 405 gone through all posts in google changed IIS config setting but not working.
Before someone marks it as a duplicate I have been dealing with this issue for a couple of days, and none of the suggested procedures in the following posts helped:
Method 1
Yet another method
You can find more examples, most of them referring the webdav module (I don't have reputation to give more references). Even if many report that it solved the issue, for some reason it did not solve for me, and since the question keeps being posted to SO I guess I am not the only one fighting this issue. Here is the way I managed to have the DELETE, PUT, OPTIONS verbs working (in both express and IIS8.5). It was as simple as adding a new mapping handler for the ProtocolSupportModule, or in web.config terms:
<add name="OtherVerbsHandler" path="*" verb="PUT,DELETE,OPTIONS" modules="ProtocolSupportModule" />
Do not use that handler also for the remaining verbs, since it won't be able to load the static files (if nothing else). Please note that I am new to ASP.NET and any insightful comments about my solution are welcome.
EDIT: This work-around actually did not solve it for me, since the DELETE request is not handled by the proper controller/action, returning always 200 OK. However, fiddling around with other API I found out the solution. I was just missing the Options method (returning always 200 OK) that in the case of this other API I already implemented because of some pre-flight requests. I still don't know why one couldn't see that this was the problem in the error output, but my API is working fine now.
//This is necessary for browsers that isssue preflight requests
//Even with CORS enabled!
public HttpResponseMessage Options()
{
return Request.CreateResponse(HttpStatusCode.OK, "Options route activated.");
}
public HttpResponseMessage Delete(string project, string runId)
{
return Request.CreateResponse(HttpStatusCode.NotImplemented, "Delete route activated.");
}

GWT login using Spring - URL issue

I am trying to solve URL login issue in GWT. We are using spring security. The problem is that everything is working in development mode but in tomcat where builded as WAR it fails.
application-context-security.xml seetings:
<form-login authentication-success-handler-ref="mySuccessHandler" authentication-failure-handler-ref="myFailureHandler" login-processing-url="/login" />
I have my own login.html file there si HTML form element <form action="/login">
I have two Spring handlers which redirects to Login.html or MyApplication.html (content,services) depends on if user autheticates or not.
If I pack my application into vsp.war (localhost:8080/vsp/) and run it, it goes to Login.html, which is correct. But always if I authenticate or not it goes to localhost:8080/login with 404 status.
My final WAR structure is:
login
login.nocache.js
vsp
vsp.nocache.js
Login.html
MyApplication.html
I have two modules for login and for rest of application (services).
Example of failure authentication handler method:
#Override
public void onAuthenticationFailure(HttpServletRequest request,
HttpServletResponse response, AuthenticationException exception)
throws IOException, ServletException {
// always send HTTP 403
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
final StringBuilder URL = new StringBuilder("Login.html?");
if(!GWT.isProdMode()) {
URL.append("gwt.codesvr=127.0.0.1:9997&");
}
URL.append("error=true");
response.sendRedirect(URL.toString());
}
Can anybody help me where I am doing mistake? Problem is that I dont understand the URLs if there must be /Login.html or Login.html ot /login or something different.
Any help will be appreciated.
Regards Lukas
Problem solved. I have used /login fo Spring security login but also Login.gwt.xml, Login.java for GWT parts. And there was problem with correct URLs. When I change Spring security login to something different (/differentLogin) everythinkg works fine in hosted and web mode.

Tab Page Error: The requested method GET is not allowed

I have just set up a custom tab on my page for the first time. I have thoroughly followed the setup guide and seem to have everything on the Facebook side setup correctly.
However when I view my page it throws the following error:
Method Not Allowed The requested method GET is not allowed for the
URL /Facebook/index.html. Additionally, a 404 Not Found error was
encountered while trying to use an ErrorDocument to handle the
request. Apache/1.3.41 Server at feebnaturals.com.au Port 80
I believe it may be some kind of Apache server config issue, however I'm not that Apache savvy, so not sure where to start.
I had the same problem, but instead of GET, it was POST method which was not allowed. This is a setting on your server. Not server savvy myself, but it seems that my provider didn't allow this method on html-page, but makes no problem on doing the same for php-pages. So all I did was rename my page from .html to .php, updated the app settings in facebook and all works fine now.
This is definitely an error on your side, check your server logs and see what they say - it looks like you've configured the page to only work via a POST request and it's being requested in a GET request