ASP.NET Not Allow Html in Text Box,Server error in Application,.. A potentialy dangerous Request.Form value was detected.

28 03 2008

Symptom:

When entering a value with angled brackets into a text box on a .NET application the following error is generated in the browser:

Server Error in '/<folder>' Application.

A potentially dangerous Request.Form value was detected from the client (TextBoxN="...")

Cause

The .NET framework is throwing up an error because it detected something in the entered text which looks like an HTML statement. The text doesn’t need to contain valid HTML, just anything with opening and closing angled brackets (“<…>”).

The reason behind the error is as a security precaution. Developers need to be aware that users might try to inject HTML (or even a script) into a text box which may affect how the form is rendered. For further details see www.asp.net/learn/whitepapers/request-validation/.

This checking was not performed in the .NET 1.0 framework and was introduced with the .NET 1.1 framework.

Remedy:

The remedy is in two parts and you MUST action both:

  1. To disable request validation on a page add the following directive to the existing “page” directive in the file – you will need to switch to the HTML view for this:ValidateRequest="false"for example if you already have:

    <%@ Page Language="vb" AutoEventWireup="false" Codebehind="MyForm.aspx.vb" Inherits="Proj.MyForm"%>

    then this should become:

    <%@ Page Language="vb" AutoEventWireup="false" Codebehind="MyForm.aspx.vb" Inherits="Proj.MyForm" ValidateRequest="false"%>

    Alternately, you can globally turn request validation off (but in which case be sure to implement item two below). To globally turn request validation off add the following to your web.config file:

    <pages validateRequest="false" />

    this should go within the <system.web> section. This will turn off request validation for every page in your application.

    Warning

    With request validation turned off, users will be able to enter html into text boxes on the page. For example entering:

    <script>alert('Oops!')</script>

    will be rendered by the browser (when the form is updated and the contents redisplayed) as JavaScript and a message box will appear with the message “Oops!”. This is generally considered to be undesirable!

  2. Unless you actually need users to be able to enter HTML you must convert the string to its html encoding equivalent – basically this means that certain characters (like “<”) are converted to codes (so “<” is converted to “<”). To perform this conversion use HttpUtility.HtmlEncode, for example:MyLabel.Text := HttpUtility.HtmlEncode(MyTextBox.Text);You only need to consider this for any text that will be rendered in the browser.
About these ads

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




Follow

Get every new post delivered to your Inbox.

%d bloggers like this: