Jean Paul's Blog

There are 2 types of People in the World, One who Likes SharePoint and..

    Advertisements
  • Microsoft MVP

  • MindCracker MVP

  • CodeProject MVP

  • eBook on SharePoint 2010

  • eBook on Design Patterns

  • eBook on Windows Azure

  • NLayers Framework @ CodePlex

  • MSDN Forums

  • .Net vs. Java

    Due to Public Demand
  • Advertisements

How to avoid security error in ASP.NET textbox while inputting html content?

Posted by Paul on February 9, 2011


The ASP.NET handler checks for security threats on page submissions.  This is part of the security checks, otherwise malicious scripts could be injected to the server.

But, in some alternative cases we need to bypass this – say we need to save a webpage into the database.  But the page validation throws the error.

You can try the following:

1. Create a web application and place a textbox and button on it.

2. Run the application and try entering the following data into the textbox

<html>Test Content</html>

3. Click the button to submit the page

4. You will be receiving the following error:

Server Error in ‘/’ Application.


A potentially dangerous Request.Form value was detected from the client (TextBox1=”<html>test</html>”).

Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.
Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (TextBox1=”<html>Test Content</html>”).

 

Solution

Set the ValidateRequest property to false in the page level

<%@ Page Language=”C#” AutoEventWireup=”true” CodeBehind=”Default.aspx.cs” Inherits=”WebApplication2._Default” ValidateRequest=”false” %>

Now try rerunning the application and click the button.  The error is disappeared now.

Advertisements

2 Responses to “How to avoid security error in ASP.NET textbox while inputting html content?”

  1. Jef said

    Just to add, if you are in .NET 4.0 you need to also set under system.web in the web.config file.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s