html markup allowed in textbox even though validaterequest=true

A

Andy Fish

Hi,

I have a web form with 2 text boxes on it. I have not set
validateRequest=false in the @page directive so request validation should be
on.

One of the text boxes correctly gives the "A potentially dangerous
Request.Form value..." Exception when trying to enter HTML markup. However,
the other one allows it through.

The form is rather large and complex so I can't just post the whole thing
here, but does anyone know how one textbox would be able to skip the form
validation feature?

TIA

Andy
 
A

Andy Fish

OK, I figured out what was happening. I wasn't comparing like with like.

What actually happens is that the page validation does not throw out all
html markup. it allows end tags but not start tags. So it's possible to put
in something like "</td></tr></table>" into a textbox which will screw up
the display but I guess this wouldn't normally be 'dangerous'
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

disabling ValidateRequest for one textbox 2
ValidateRequest 1
ValidateRequest="false" ? 2
About validateRequest 1
How do I allow HTML in just one textbox? 9
@Page validateRequest And UserControls 4
ValidateRequest="false" error 0
validateRequest="false" not working in web.config or page directive 2

Members online

No members online now.
Total: 35 (members: 0, guests: 35)
Robots: 454

Forum statistics

Threads
473,768
Messages
2,569,574
Members
45,048
Latest member
verona

Latest Threads

Top