Errors when adding HTML in a textbox

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have an .aspx page with a textbox on it, and whenever a users tries to submit some HTML type code it generates an unhandled exception error for it being "A potentially dangerous Request.Form value". I think it's doing this as an automatic safe guard against cross-site scripting, but what can I do to handle it so the user doesn't get the lovely red and yellow error page?

I tried putting the submit in a try...catch block, but it doesn't appear to be running the try...catch before it brings up the page. Can somebody please help with this?

Thanks,
Jeremy
 
Hello Jeremy...see this reference in MSDN help

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgenref/html/cpconpage.asp

See the section about the ValidateRequest attribute

hth,
Chad McCune, MCSE, MCDBA



Jeremy said:
I have an .aspx page with a textbox on it, and whenever a users tries to
Click to expand...
submit some HTML type code it generates an unhandled exception error for it
being "A potentially dangerous Request.Form value". I think it's doing this
as an automatic safe guard against cross-site scripting, but what can I do
to handle it so the user doesn't get the lovely red and yellow error page?
I tried putting the submit in a try...catch block, but it doesn't appear
Click to expand...
to be running the try...catch before it brings up the page. Can somebody
please help with this?
 
One of the enhancements in 1.1 is the new "ValidateRequest" feature that
provides automatic detection and blocking of
suspicious looking data. This is a feature to prevent HTML injection and
other such attacks.
Here's more info:
http://weblogs.asp.net/vga/archive/2003/05/02/6329.aspx
http://www.asp.net/faq/RequestValidation.aspx
http://groups.google.com/groups?q="[email protected]&rnum=1

--
I hope this helps,
Steve C. Orr, MCSD, MVP
http://Steve.Orr.net


Jeremy said:
I have an .aspx page with a textbox on it, and whenever a users tries to
Click to expand...
submit some HTML type code it generates an unhandled exception error for it
being "A potentially dangerous Request.Form value". I think it's doing this
as an automatic safe guard against cross-site scripting, but what can I do
to handle it so the user doesn't get the lovely red and yellow error page?
I tried putting the submit in a try...catch block, but it doesn't appear
Click to expand...
to be running the try...catch before it brings up the page. Can somebody
please help with this?
 
Thanks for your help, I didn't realize that it was a new "feature" of 1.1. I had heard the MS was going to automatically turn on security type features, but I wasn't sure exactly what they were going to do

My form is submitting data to a database and I'm using some validator controls to ensure some of the fields are dates, so do I need to Server.HtmlEncode my date fields when I submit? Also, should I HtmlDecode the fields I encode when I display the information in a label

Thanks for your help
Jeremy
 
A couple short and simple tests should lead you to these answers yourself.
Just try it and see.

--
I hope this helps,
Steve C. Orr, MCSD, MVP
http://Steve.Orr.net


Jeremy said:
Thanks for your help, I didn't realize that it was a new "feature" of 1.1.
Click to expand...
I had heard the MS was going to automatically turn on security type
features, but I wasn't sure exactly what they were going to do.
My form is submitting data to a database and I'm using some validator
Click to expand...
controls to ensure some of the fields are dates, so do I need to
Server.HtmlEncode my date fields when I submit? Also, should I HtmlDecode
the fields I encode when I display the information in a label?
 
Yeah, I agree. After thinking about this I don't think this type of question could be given a straight forward answer. It's my application with its own set of requirements and what might work well for some situations won't work well for others. Plus it's hard to tell what other people really need in their application when you're giving out advice

Thanks for the hel
Jeremy
 
Back
Top