<> tags typed into a asp.net textbox

[Mark]

We have a multi-line textbox that users copy and paste email text into. The
pasted text frequently will contain a tag like <[email protected]> or similar. I
believe .NET is protecting itself from code injection by throwing a global
error when this occurs. The exception message is pasted below.

We will NOT be able to train our users to eliminate all <> tags. What's the
best way to deal with this issue?

Thanks in advance.

Mark

EXCEPTION MESSAGE: A potentially dangerous Request.Form value was
detected from the client (txtNote="<[email protected]> ").

 

[Shiva]

Hi,
This is a security measure implemented in ASP.NET (1.1) to avoid
script-injections. If you want to turn this off, add validateRequest="false"
to the <@Page > directive on the page.

To disable for the whole app, have this in your web.config (inside
<configuration></configuration>):

<system.web>
<pages validateRequest="false" />
</system.web>

HTH.

We have a multi-line textbox that users copy and paste email text into. The
pasted text frequently will contain a tag like <[email protected]> or similar. I
believe .NET is protecting itself from code injection by throwing a global
error when this occurs. The exception message is pasted below.

We will NOT be able to train our users to eliminate all <> tags. What's the
best way to deal with this issue?

Thanks in advance.

Mark

EXCEPTION MESSAGE: A potentially dangerous Request.Form value was
detected from the client (txtNote="<[email protected]> ").

 

[Mark]

Great idea. However, does this render all Validation controls useless?
Like a Required Field Validator or similar?

Thanks again.

Mark

 

[Steve Flitcroft]

Nope just allows any tags to be input on forms without erroring
Doesnt stop any of the other validators

 

[Jim Cheshire [MSFT]]

Mark,

We recommend that you not do this unless you pair it with writing some code
of your own to validate the request. In most cases, you can easily leave
validateRequest enabled in these circumstances by simply HTML-encoding the
data you are entering into the Textbox control.

Jim Cheshire [MSFT]
MCP+I, MCSE, MCSD, MCDBA
Microsoft Developer Support
(e-mail address removed)

This post is provided "AS-IS" with no warranties and confers no rights.

--------------------

 

[Mark]

Thanks Jim,

By "writing some code" I believe you're implying server side code. However,
I don't believe ANY of the server side code will even execute with the
validateRequest property set to "true". I believe the "HTML-encoding" would
also require server side code, which would similarly bomb. Correct? Am I
missing something here? (very likely)

Thanks again.

Mark

Mark,

We recommend that you not do this unless you pair it with writing some code
of your own to validate the request. In most cases, you can easily leave
validateRequest enabled in these circumstances by simply HTML-encoding the
data you are entering into the Textbox control.

Jim Cheshire [MSFT]
MCP+I, MCSE, MCSD, MCDBA
Microsoft Developer Support
(e-mail address removed)

This post is provided "AS-IS" with no warranties and confers no rights.

--------------------

From: "Steve Flitcroft" <[email protected]>
References: <[email protected]>

Subject: Re: <> tags typed into a asp.net textbox
Date: Mon, 9 Aug 2004 16:59:41 +0100
Lines: 56
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
Message-ID: <[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 62-249-220-208.no-dns-yet.enta.net 62.249.220.208
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:253142
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

Nope just allows any tags to be input on forms without erroring
Doesnt stop any of the other validators

 

[Guest]

You can do
validateRequest="false" in the page directive.

Then in code-behind you can do something like

string myString = HttpUtility.HtmlEncode(MyTextBox.Text);

Thanks Jim,

By "writing some code" I believe you're implying server side code. However,
I don't believe ANY of the server side code will even execute with the
validateRequest property set to "true". I believe the "HTML-encoding" would
also require server side code, which would similarly bomb. Correct? Am I
missing something here? (very likely)

Thanks again.

Mark

Mark,

We recommend that you not do this unless you pair it with writing some code
of your own to validate the request. In most cases, you can easily leave
validateRequest enabled in these circumstances by simply HTML-encoding the
data you are entering into the Textbox control.

Jim Cheshire [MSFT]
MCP+I, MCSE, MCSD, MCDBA
Microsoft Developer Support
(e-mail address removed)

This post is provided "AS-IS" with no warranties and confers no rights.

--------------------

From: "Steve Flitcroft" <[email protected]>
References: <[email protected]>

Subject: Re: <> tags typed into a asp.net textbox
Date: Mon, 9 Aug 2004 16:59:41 +0100
Lines: 56
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
Message-ID: <[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 62-249-220-208.no-dns-yet.enta.net 62.249.220.208
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:253142
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

Nope just allows any tags to be input on forms without erroring
Doesnt stop any of the other validators
Great idea. However, does this render all Validation controls useless?
Like a Required Field Validator or similar?

Thanks again.

Mark

Hi,
This is a security measure implemented in ASP.NET (1.1) to avoid
script-injections. If you want to turn this off, add
validateRequest="false"
to the <@Page > directive on the page.

To disable for the whole app, have this in your web.config (inside
<configuration></configuration>):

<system.web>
<pages validateRequest="false" />
</system.web>

HTH.

We have a multi-line textbox that users copy and paste email text into.
The
pasted text frequently will contain a tag like <[email protected]> or
similar.
I
believe .NET is protecting itself from code injection by throwing a
global
error when this occurs. The exception message is pasted below.

We will NOT be able to train our users to eliminate all <> tags. What's
the
best way to deal with this issue?

Thanks in advance.

Mark

EXCEPTION MESSAGE: A potentially dangerous Request.Form value was
detected from the client (txtNote="<[email protected]> ").

 

[Jim Cheshire [MSFT]]

Hi Mark,

If you want to leave validateRequest set to true, you will encode the data
on the client. You can do that by using the escape function in JavaScript.
You will then need to use UrlDecode against the data on the server side.

Jim Cheshire [MSFT]
MCP+I, MCSE, MCSD, MCDBA
Microsoft Developer Support
(e-mail address removed)

This post is provided "AS-IS" with no warranties and confers no rights.


--------------------

From: "Mark" <[email protected]>
References: <[email protected]>

<[email protected]>
<[email protected]>

Subject: Re: <> tags typed into a asp.net textbox
Date: Mon, 9 Aug 2004 11:16:52 -0500
Lines: 112
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.3790.181
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.181
Message-ID: <[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: x15-238.cce.umn.edu 134.84.15.238
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:253149
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

Thanks Jim,

By "writing some code" I believe you're implying server side code. However,
I don't believe ANY of the server side code will even execute with the
validateRequest property set to "true". I believe the "HTML-encoding" would
also require server side code, which would similarly bomb. Correct? Am I
missing something here? (very likely)

Thanks again.

Mark

Mark,

We recommend that you not do this unless you pair it with writing some code
of your own to validate the request. In most cases, you can easily leave
validateRequest enabled in these circumstances by simply HTML-encoding the
data you are entering into the Textbox control.

Jim Cheshire [MSFT]
MCP+I, MCSE, MCSD, MCDBA
Microsoft Developer Support
(e-mail address removed)

This post is provided "AS-IS" with no warranties and confers no rights.

--------------------

From: "Steve Flitcroft" <[email protected]>
References: <[email protected]>

Subject: Re: <> tags typed into a asp.net textbox
Date: Mon, 9 Aug 2004 16:59:41 +0100
Lines: 56
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
Message-ID: <[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 62-249-220-208.no-dns-yet.enta.net 62.249.220.208
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:253142
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

Nope just allows any tags to be input on forms without erroring
Doesnt stop any of the other validators
Great idea. However, does this render all Validation controls useless?
Like a Required Field Validator or similar?

Thanks again.

Mark

Hi,
This is a security measure implemented in ASP.NET (1.1) to avoid
script-injections. If you want to turn this off, add
validateRequest="false"
to the <@Page > directive on the page.

To disable for the whole app, have this in your web.config (inside
<configuration></configuration>):

<system.web>
<pages validateRequest="false" />
</system.web>

HTH.

We have a multi-line textbox that users copy and paste email text into.
The
pasted text frequently will contain a tag like <[email protected]> or
similar.
I
believe .NET is protecting itself from code injection by throwing a
global
error when this occurs. The exception message is pasted below.

We will NOT be able to train our users to eliminate all <> tags. What's
the
best way to deal with this issue?

Thanks in advance.

Mark

EXCEPTION MESSAGE: A potentially dangerous Request.Form value was
detected from the client (txtNote="<[email protected]> ").

 

[Oytun YILMAZ]

We have a multi-line textbox that users copy and paste email text into. The
pasted text frequently will contain a tag like <[email protected]> or similar. I
believe .NET is protecting itself from code injection by throwing a global
error when this occurs. The exception message is pasted below.

We will NOT be able to train our users to eliminate all <> tags. What's the
best way to deal with this issue?

Thanks in advance.

Mark

EXCEPTION MESSAGE: A potentially dangerous Request.Form value was
detected from the client (txtNote="<[email protected]> ").

Request Validation is an ASP.NET feature, it could be turned off but
turning off is not recommended.

for a single page:
<%@ Page validateRequest="false" %>

for entire app:
<configuration>
<system.web>
<pages validateRequest="false" />
</system.web>
</configuration>



A good detailed description is at the official site:
http://www.asp.net/faq/RequestValidation.aspx


- Oytun YILMAZ