How to prevent "A potentially dangerous Request.Form" in a request

Go To StackoverFlow.com

2

I have added a FreeTextBox control in my page, which allows users to insert HTML tag. Well, when I send to the server, I get the following error:

A potentially dangerous Request.Form value was detected from the client (GestisciPagine1_txtTestoPagina="...t homepage<br><br>").

Which option do I need to change to avoid this? I only want to change this control. Is it possible?

2012-04-03 20:29
by markzzz


7

Which option I need to change to avoid this control ONLY to this control?

You can't do this per control. You need to do it at the page level or for the entire application:

<%@ Page Title="Home Page" Language="C#" ValidateRequest="false" %>
2012-04-03 20:32
by Darin Dimitrov
This means I need to escape/encode all data that I get from this page? Or .NET do it as well - markzzz 2012-04-03 20:32
@markzzz, you need to HTML encode it if you intend to display it back on the page. That's all. On the server you could store it in a SQL database as is without worrying about anything (assuming you are using parametrized queries of course, but since you should always use parametrized queries if you are doing any plain ADO.NET it shouldn't be any problem) - Darin Dimitrov 2012-04-03 20:33
I use stored procedures, or LINQ to SQL :). But, on printing back to the page, .NET should also do an HTML encode automatically, right - markzzz 2012-04-03 21:40
@markzzz, that's correct - Darin Dimitrov 2012-04-04 05:20
So, why that control "ValidateRequest"? To prevent somethings that will be checked anyway? : - markzzz 2012-04-04 07:01
By default ASP.NET doesn't allow posting such characters. I think it's in order to warn the developer that he must perform certain additional steps (HTML encode) when displaying them back in the page. Imagine there was no exception. People that were unaware of the fact that they must HTML encode them wouldn't do it and get their sites XSSesed. On the other hand an exception is thrown => it makes developer afraid, they ask questions and get things clear - Darin Dimitrov 2012-04-04 08:41
"People that were unaware of the fact that they must HTML encode": no, because .NET do it anyway :) That's I don't understand heh - markzzz 2012-04-04 08:48
@markzzz, no, .NET doesn't HTML encode what you are outputting by default. Actually it depends how you are outputting it. If you simply write <%= SomeValue %> where SomeValue represents HTML, nothing will get encoded - Darin Dimitrov 2012-04-04 11:48
Yeah, in fact it does it only with Literal. I only use Literal, that's why I didn't understand :) Thank yo - markzzz 2012-04-04 12:41