When I put in HTML characters in my form, such as <br />, ASP.NET throws an internal 500 exception as described here.
A potentially dangerous Request.Form value was detected from the client (Name="<br />").
Ok, so it's protecting me from unencoded characters that could be used for malicious reasons.
The problem is, and this is answered nowhere in my long search, is what to do about it. I.e. my application shouldn't just be throwing a generic internal server error when a user inputs bad characters (what if they're drawing an arrow such as <--).
What would be better is to simply return to the page with a ModelState error that says "Please don't use HTML characters" or something meaningful.
But how is this to be achieved? The error is thrown way before it gets to my code. Also, I don't want to just turn it off via validateRequest="false" and then have to validate every single form in my application for HTML characters and return an error.
Is there a way to leave this type of validation enabled but just handle it differently?
Code for clarification:
Model
Public Class SomeModel
    Public Property SomeField As String
End Class
Controller
<HttpPost>
Function SomeController(ByVal model As SomeModel)
    ' model.SomeField contains some HTML characters :O
    ' but it doesn't matter, since an internal error has occured :(
End Function
There is a problem with the resource you are looking for, and it cannot be displayed. The first solution to a 500 internal server error is to refresh the page. If the error persists, you may try clearing the cookies, deactivating faulty plugins or themes, fixing the . htaccess file, or contacting your hosting provider.
IIS error The error 500.19 is an internal server error often occurring on a server using Microsoft IIS software. It indicates that the configuration data for the page is invalid. To solve the issue, delete the malformed XML element from the Web. config file or from the ApplicationHost.
"500.0 – Internal Server Error" is an IIS Error code meaning that the web service is unavailable. This means the error is with the API, not your client.
Have you tried adding the AllowHtml attribute to the property of your viewmodel?
It is definitely possible to show your own error page with whatever message you see fit.
You use customError pages for this.
You can configure these error pages to be shown for the appropriate error code.
<configuration>
   <system.web>
      <customErrors mode="RemoteOnly" redirectMode="ResponseRewrite" 
                    defaultRedirect="GenericError.htm">
         <error statusCode="500" redirect="InternalError.aspx"/>
      </customErrors>
   </system.web>
</configuration>
Displaying a Custom Error Page
On your error page you can detect the last error with Server.GetLastError() and use it show an appropriate message, if you want this case of html data to be handled differently.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With