HTML Tags in input form

  • Thread starter Joe via DotNetMonster.com
  • Start date
J

Joe via DotNetMonster.com

Hi,

I have an form that saves to a database. I would like the user to be able to enter HTML tags into the Textbox Control fields but I get an error message when entering HTML tags:

A potentially dangerous Request.Form value was detected from the client (pArticleText="Test<p>").

I'm new to ASP.NET so I'm not sure what would be the best way.

Thanks
 
S

Steve C. Orr [MVP, MCSD]

One of the enhancements in 1.1 is the new "ValidateRequest" feature that
provides automatic detection and blocking of
suspicious looking data. This is a feature to prevent HTML injection and
other such attacks.

Luckily you can turn it off in cases like this with the following page
directive:
<%@ Page validateRequest="false" %>

Here's more info:
http://weblogs.asp.net/vga/archive/2003/05/02/6329.aspx
http://www.asp.net/faq/RequestValidation.aspx
http://groups-beta.google.com/group...ection+1.1&hl=en&lr=&ie=UTF-8&oe=UTF-8&rnum=1
 
V

vMike

Joe via DotNetMonster.com said:
Hi,

I have an form that saves to a database. I would like the user to be able
Click to expand...
to enter HTML tags into the Textbox Control fields but I get an error
message when entering HTML tags:
A potentially dangerous Request.Form value was detected from the client
Click to expand...
(pArticleText="Test said:
I'm new to ASP.NET so I'm not sure what would be the best way.

Thanks
Click to expand...

You can turn it off for the page, but you need to encode it during
processing and unencode it later for security reasons.

See this info
Most scripting exploits occur when users can get executable code (script)
into your application. By default, ASP.NET provides request validation,
which raises an error if a form post contains any HTML whatsoever.

You can protecting against script exploits in these ways:

a.. Apply HTML encoding to strings before accepting or displaying them, so
that the strings do not include any executable elements.
b.. If your application needs to accept some HTML, disable request
validation and create your own HTML filter.
 
A

Alan Silver

I have an form that saves to a database. I would like the user to be able
to enter HTML tags into the Textbox Control fields but I get an error
message when entering HTML tags:
(pArticleText="Test<p>").
Click to expand...
You can turn it off for the page, but you need to encode it during
processing and unencode it later for security reasons.
Click to expand...

Can't it just be turned off for one control? It seems a bit extreme to
only allow it to be on or off for the whole page. Surely if you could
disable the checking for just one control, it would make the security
much easier as you would only have to worry about anything entered in
that one control.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

"input-group-text" help 7
I'm about to get in trouble with the HTML <body></body> tags 10
Make an <input type="text"> input-ready for input 8
Registration Form 7
Digital Signature field form in PDF generated document from HTML 5
Registration form 13
HTML tags in Textbox 4
Login form no longer working 2

Members online

No members online now.
Total: 42 (members: 0, guests: 42)
Robots: 637

Forum statistics

Threads
473,769
Messages
2,569,581
Members
45,057
Latest member
KetoBeezACVGummies

Latest Threads

Top