html markup allowed in textbox even though validaterequest=true

Discussion in 'ASP .Net Web Controls' started by Andy Fish, Oct 27, 2004.

  1. Andy Fish

    Andy Fish Guest

    Hi,

    I have a web form with 2 text boxes on it. I have not set
    validateRequest=false in the @page directive so request validation should be
    on.

    One of the text boxes correctly gives the "A potentially dangerous
    Request.Form value..." Exception when trying to enter HTML markup. However,
    the other one allows it through.

    The form is rather large and complex so I can't just post the whole thing
    here, but does anyone know how one textbox would be able to skip the form
    validation feature?

    TIA

    Andy
    Andy Fish, Oct 27, 2004
    #1
    1. Advertising

  2. Andy Fish

    Andy Fish Guest

    OK, I figured out what was happening. I wasn't comparing like with like.

    What actually happens is that the page validation does not throw out all
    html markup. it allows end tags but not start tags. So it's possible to put
    in something like "</td></tr></table>" into a textbox which will screw up
    the display but I guess this wouldn't normally be 'dangerous'

    "Andy Fish" <> wrote in message
    news:%232ppow$...
    > Hi,
    >
    > I have a web form with 2 text boxes on it. I have not set
    > validateRequest=false in the @page directive so request validation should
    > be on.
    >
    > One of the text boxes correctly gives the "A potentially dangerous
    > Request.Form value..." Exception when trying to enter HTML markup.
    > However, the other one allows it through.
    >
    > The form is rather large and complex so I can't just post the whole thing
    > here, but does anyone know how one textbox would be able to skip the form
    > validation feature?
    >
    > TIA
    >
    > Andy
    >
    >
    Andy Fish, Oct 27, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?ZGh1cndpdHo=?=
    Replies:
    1
    Views:
    444
    Teemu Keiski
    Apr 10, 2004
  2. Angel Of Death

    IsPostBack == true, even though its a callback

    Angel Of Death, Oct 25, 2006, in forum: ASP .Net
    Replies:
    4
    Views:
    465
    Flinky Wisty Pomm
    Oct 26, 2006
  3. bdb112
    Replies:
    45
    Views:
    1,321
    jazbees
    Apr 29, 2009
  4. Disc Magnet
    Replies:
    0
    Views:
    157
    Disc Magnet
    Apr 18, 2011
  5. Ken Sturgeon
    Replies:
    1
    Views:
    231
    Dominick Baier
    Jun 11, 2007
Loading...

Share This Page