<> tags typed into a asp.net textbox

Discussion in 'ASP .Net' started by Mark, Aug 9, 2004.

  1. Mark

    Mark Guest

    We have a multi-line textbox that users copy and paste email text into. The
    pasted text frequently will contain a tag like <> or similar. I
    believe .NET is protecting itself from code injection by throwing a global
    error when this occurs. The exception message is pasted below.

    We will NOT be able to train our users to eliminate all <> tags. What's the
    best way to deal with this issue?

    Thanks in advance.

    Mark

    EXCEPTION MESSAGE: A potentially dangerous Request.Form value was
    detected from the client (txtNote="<> ").
    Mark, Aug 9, 2004
    #1
    1. Advertising

  2. Mark

    Shiva Guest

    Hi,
    This is a security measure implemented in ASP.NET (1.1) to avoid
    script-injections. If you want to turn this off, add validateRequest="false"
    to the <@Page > directive on the page.

    To disable for the whole app, have this in your web.config (inside
    <configuration></configuration>):

    <system.web>
    <pages validateRequest="false" />
    </system.web>

    HTH.

    "Mark" <> wrote in message
    news:...
    We have a multi-line textbox that users copy and paste email text into. The
    pasted text frequently will contain a tag like <> or similar. I
    believe .NET is protecting itself from code injection by throwing a global
    error when this occurs. The exception message is pasted below.

    We will NOT be able to train our users to eliminate all <> tags. What's the
    best way to deal with this issue?

    Thanks in advance.

    Mark

    EXCEPTION MESSAGE: A potentially dangerous Request.Form value was
    detected from the client (txtNote="<> ").
    Shiva, Aug 9, 2004
    #2
    1. Advertising

  3. Mark

    Mark Guest

    Great idea. However, does this render all Validation controls useless?
    Like a Required Field Validator or similar?

    Thanks again.

    Mark

    "Shiva" <> wrote in message
    news:...
    > Hi,
    > This is a security measure implemented in ASP.NET (1.1) to avoid
    > script-injections. If you want to turn this off, add

    validateRequest="false"
    > to the <@Page > directive on the page.
    >
    > To disable for the whole app, have this in your web.config (inside
    > <configuration></configuration>):
    >
    > <system.web>
    > <pages validateRequest="false" />
    > </system.web>
    >
    > HTH.
    >
    > "Mark" <> wrote in message
    > news:...
    > We have a multi-line textbox that users copy and paste email text into.

    The
    > pasted text frequently will contain a tag like <> or similar.

    I
    > believe .NET is protecting itself from code injection by throwing a global
    > error when this occurs. The exception message is pasted below.
    >
    > We will NOT be able to train our users to eliminate all <> tags. What's

    the
    > best way to deal with this issue?
    >
    > Thanks in advance.
    >
    > Mark
    >
    > EXCEPTION MESSAGE: A potentially dangerous Request.Form value was
    > detected from the client (txtNote="<> ").
    >
    >
    >
    Mark, Aug 9, 2004
    #3
  4. Nope just allows any tags to be input on forms without erroring
    Doesnt stop any of the other validators
    "Mark" <> wrote in message
    news:...
    > Great idea. However, does this render all Validation controls useless?
    > Like a Required Field Validator or similar?
    >
    > Thanks again.
    >
    > Mark
    >
    > "Shiva" <> wrote in message
    > news:...
    > > Hi,
    > > This is a security measure implemented in ASP.NET (1.1) to avoid
    > > script-injections. If you want to turn this off, add

    > validateRequest="false"
    > > to the <@Page > directive on the page.
    > >
    > > To disable for the whole app, have this in your web.config (inside
    > > <configuration></configuration>):
    > >
    > > <system.web>
    > > <pages validateRequest="false" />
    > > </system.web>
    > >
    > > HTH.
    > >
    > > "Mark" <> wrote in message
    > > news:...
    > > We have a multi-line textbox that users copy and paste email text into.

    > The
    > > pasted text frequently will contain a tag like <> or

    similar.
    > I
    > > believe .NET is protecting itself from code injection by throwing a

    global
    > > error when this occurs. The exception message is pasted below.
    > >
    > > We will NOT be able to train our users to eliminate all <> tags. What's

    > the
    > > best way to deal with this issue?
    > >
    > > Thanks in advance.
    > >
    > > Mark
    > >
    > > EXCEPTION MESSAGE: A potentially dangerous Request.Form value was
    > > detected from the client (txtNote="<> ").
    > >
    > >
    > >

    >
    >
    Steve Flitcroft, Aug 9, 2004
    #4
  5. Mark,

    We recommend that you not do this unless you pair it with writing some code
    of your own to validate the request. In most cases, you can easily leave
    validateRequest enabled in these circumstances by simply HTML-encoding the
    data you are entering into the Textbox control.

    Jim Cheshire [MSFT]
    MCP+I, MCSE, MCSD, MCDBA
    Microsoft Developer Support


    This post is provided "AS-IS" with no warranties and confers no rights.

    --------------------
    >From: "Steve Flitcroft" <>
    >References: <>

    <>
    <>
    >Subject: Re: <> tags typed into a asp.net textbox
    >Date: Mon, 9 Aug 2004 16:59:41 +0100
    >Lines: 56
    >X-Priority: 3
    >X-MSMail-Priority: Normal
    >X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
    >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
    >Message-ID: <Oe$>
    >Newsgroups: microsoft.public.dotnet.framework.aspnet
    >NNTP-Posting-Host: 62-249-220-208.no-dns-yet.enta.net 62.249.220.208
    >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
    >Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:253142
    >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
    >
    >Nope just allows any tags to be input on forms without erroring
    >Doesnt stop any of the other validators
    >"Mark" <> wrote in message
    >news:...
    >> Great idea. However, does this render all Validation controls useless?
    >> Like a Required Field Validator or similar?
    >>
    >> Thanks again.
    >>
    >> Mark
    >>
    >> "Shiva" <> wrote in message
    >> news:...
    >> > Hi,
    >> > This is a security measure implemented in ASP.NET (1.1) to avoid
    >> > script-injections. If you want to turn this off, add

    >> validateRequest="false"
    >> > to the <@Page > directive on the page.
    >> >
    >> > To disable for the whole app, have this in your web.config (inside
    >> > <configuration></configuration>):
    >> >
    >> > <system.web>
    >> > <pages validateRequest="false" />
    >> > </system.web>
    >> >
    >> > HTH.
    >> >
    >> > "Mark" <> wrote in message
    >> > news:...
    >> > We have a multi-line textbox that users copy and paste email text into.

    >> The
    >> > pasted text frequently will contain a tag like <> or

    >similar.
    >> I
    >> > believe .NET is protecting itself from code injection by throwing a

    >global
    >> > error when this occurs. The exception message is pasted below.
    >> >
    >> > We will NOT be able to train our users to eliminate all <> tags.

    What's
    >> the
    >> > best way to deal with this issue?
    >> >
    >> > Thanks in advance.
    >> >
    >> > Mark
    >> >
    >> > EXCEPTION MESSAGE: A potentially dangerous Request.Form value was
    >> > detected from the client (txtNote="<> ").
    >> >
    >> >
    >> >

    >>
    >>

    >
    >
    >
    Jim Cheshire [MSFT], Aug 9, 2004
    #5
  6. Mark

    Mark Guest

    Thanks Jim,

    By "writing some code" I believe you're implying server side code. However,
    I don't believe ANY of the server side code will even execute with the
    validateRequest property set to "true". I believe the "HTML-encoding" would
    also require server side code, which would similarly bomb. Correct? Am I
    missing something here? (very likely)

    Thanks again.

    Mark

    "Jim Cheshire [MSFT]" <> wrote in message
    news:...
    > Mark,
    >
    > We recommend that you not do this unless you pair it with writing some

    code
    > of your own to validate the request. In most cases, you can easily leave
    > validateRequest enabled in these circumstances by simply HTML-encoding the
    > data you are entering into the Textbox control.
    >
    > Jim Cheshire [MSFT]
    > MCP+I, MCSE, MCSD, MCDBA
    > Microsoft Developer Support
    >
    >
    > This post is provided "AS-IS" with no warranties and confers no rights.
    >
    > --------------------
    > >From: "Steve Flitcroft" <>
    > >References: <>

    > <>
    > <>
    > >Subject: Re: <> tags typed into a asp.net textbox
    > >Date: Mon, 9 Aug 2004 16:59:41 +0100
    > >Lines: 56
    > >X-Priority: 3
    > >X-MSMail-Priority: Normal
    > >X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
    > >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
    > >Message-ID: <Oe$>
    > >Newsgroups: microsoft.public.dotnet.framework.aspnet
    > >NNTP-Posting-Host: 62-249-220-208.no-dns-yet.enta.net 62.249.220.208
    > >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
    > >Xref: cpmsftngxa06.phx.gbl

    microsoft.public.dotnet.framework.aspnet:253142
    > >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
    > >
    > >Nope just allows any tags to be input on forms without erroring
    > >Doesnt stop any of the other validators
    > >"Mark" <> wrote in message
    > >news:...
    > >> Great idea. However, does this render all Validation controls

    useless?
    > >> Like a Required Field Validator or similar?
    > >>
    > >> Thanks again.
    > >>
    > >> Mark
    > >>
    > >> "Shiva" <> wrote in message
    > >> news:...
    > >> > Hi,
    > >> > This is a security measure implemented in ASP.NET (1.1) to avoid
    > >> > script-injections. If you want to turn this off, add
    > >> validateRequest="false"
    > >> > to the <@Page > directive on the page.
    > >> >
    > >> > To disable for the whole app, have this in your web.config (inside
    > >> > <configuration></configuration>):
    > >> >
    > >> > <system.web>
    > >> > <pages validateRequest="false" />
    > >> > </system.web>
    > >> >
    > >> > HTH.
    > >> >
    > >> > "Mark" <> wrote in message
    > >> > news:...
    > >> > We have a multi-line textbox that users copy and paste email text

    into.
    > >> The
    > >> > pasted text frequently will contain a tag like <> or

    > >similar.
    > >> I
    > >> > believe .NET is protecting itself from code injection by throwing a

    > >global
    > >> > error when this occurs. The exception message is pasted below.
    > >> >
    > >> > We will NOT be able to train our users to eliminate all <> tags.

    > What's
    > >> the
    > >> > best way to deal with this issue?
    > >> >
    > >> > Thanks in advance.
    > >> >
    > >> > Mark
    > >> >
    > >> > EXCEPTION MESSAGE: A potentially dangerous Request.Form value was
    > >> > detected from the client (txtNote="<> ").
    > >> >
    > >> >
    > >> >
    > >>
    > >>

    > >
    > >
    > >

    >
    Mark, Aug 9, 2004
    #6
  7. You can do
    validateRequest="false" in the page directive.

    Then in code-behind you can do something like

    string myString = HttpUtility.HtmlEncode(MyTextBox.Text);

    "Mark" wrote:

    > Thanks Jim,
    >
    > By "writing some code" I believe you're implying server side code. However,
    > I don't believe ANY of the server side code will even execute with the
    > validateRequest property set to "true". I believe the "HTML-encoding" would
    > also require server side code, which would similarly bomb. Correct? Am I
    > missing something here? (very likely)
    >
    > Thanks again.
    >
    > Mark
    >
    > "Jim Cheshire [MSFT]" <> wrote in message
    > news:...
    > > Mark,
    > >
    > > We recommend that you not do this unless you pair it with writing some

    > code
    > > of your own to validate the request. In most cases, you can easily leave
    > > validateRequest enabled in these circumstances by simply HTML-encoding the
    > > data you are entering into the Textbox control.
    > >
    > > Jim Cheshire [MSFT]
    > > MCP+I, MCSE, MCSD, MCDBA
    > > Microsoft Developer Support
    > >
    > >
    > > This post is provided "AS-IS" with no warranties and confers no rights.
    > >
    > > --------------------
    > > >From: "Steve Flitcroft" <>
    > > >References: <>

    > > <>
    > > <>
    > > >Subject: Re: <> tags typed into a asp.net textbox
    > > >Date: Mon, 9 Aug 2004 16:59:41 +0100
    > > >Lines: 56
    > > >X-Priority: 3
    > > >X-MSMail-Priority: Normal
    > > >X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
    > > >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
    > > >Message-ID: <Oe$>
    > > >Newsgroups: microsoft.public.dotnet.framework.aspnet
    > > >NNTP-Posting-Host: 62-249-220-208.no-dns-yet.enta.net 62.249.220.208
    > > >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
    > > >Xref: cpmsftngxa06.phx.gbl

    > microsoft.public.dotnet.framework.aspnet:253142
    > > >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
    > > >
    > > >Nope just allows any tags to be input on forms without erroring
    > > >Doesnt stop any of the other validators
    > > >"Mark" <> wrote in message
    > > >news:...
    > > >> Great idea. However, does this render all Validation controls

    > useless?
    > > >> Like a Required Field Validator or similar?
    > > >>
    > > >> Thanks again.
    > > >>
    > > >> Mark
    > > >>
    > > >> "Shiva" <> wrote in message
    > > >> news:...
    > > >> > Hi,
    > > >> > This is a security measure implemented in ASP.NET (1.1) to avoid
    > > >> > script-injections. If you want to turn this off, add
    > > >> validateRequest="false"
    > > >> > to the <@Page > directive on the page.
    > > >> >
    > > >> > To disable for the whole app, have this in your web.config (inside
    > > >> > <configuration></configuration>):
    > > >> >
    > > >> > <system.web>
    > > >> > <pages validateRequest="false" />
    > > >> > </system.web>
    > > >> >
    > > >> > HTH.
    > > >> >
    > > >> > "Mark" <> wrote in message
    > > >> > news:...
    > > >> > We have a multi-line textbox that users copy and paste email text

    > into.
    > > >> The
    > > >> > pasted text frequently will contain a tag like <> or
    > > >similar.
    > > >> I
    > > >> > believe .NET is protecting itself from code injection by throwing a
    > > >global
    > > >> > error when this occurs. The exception message is pasted below.
    > > >> >
    > > >> > We will NOT be able to train our users to eliminate all <> tags.

    > > What's
    > > >> the
    > > >> > best way to deal with this issue?
    > > >> >
    > > >> > Thanks in advance.
    > > >> >
    > > >> > Mark
    > > >> >
    > > >> > EXCEPTION MESSAGE: A potentially dangerous Request.Form value was
    > > >> > detected from the client (txtNote="<> ").
    > > >> >
    > > >> >
    > > >> >
    > > >>
    > > >>
    > > >
    > > >
    > > >

    > >

    >
    >
    >
    =?Utf-8?B?UnlhbiBSaWRkZWxs?=, Aug 9, 2004
    #7
  8. Hi Mark,

    If you want to leave validateRequest set to true, you will encode the data
    on the client. You can do that by using the escape function in JavaScript.
    You will then need to use UrlDecode against the data on the server side.

    Jim Cheshire [MSFT]
    MCP+I, MCSE, MCSD, MCDBA
    Microsoft Developer Support


    This post is provided "AS-IS" with no warranties and confers no rights.


    --------------------
    >From: "Mark" <>
    >References: <>

    <>
    <>
    <Oe$>
    <>
    >Subject: Re: <> tags typed into a asp.net textbox
    >Date: Mon, 9 Aug 2004 11:16:52 -0500
    >Lines: 112
    >X-Priority: 3
    >X-MSMail-Priority: Normal
    >X-Newsreader: Microsoft Outlook Express 6.00.3790.181
    >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.181
    >Message-ID: <>
    >Newsgroups: microsoft.public.dotnet.framework.aspnet
    >NNTP-Posting-Host: x15-238.cce.umn.edu 134.84.15.238
    >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
    >Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:253149
    >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
    >
    >Thanks Jim,
    >
    >By "writing some code" I believe you're implying server side code.

    However,
    >I don't believe ANY of the server side code will even execute with the
    >validateRequest property set to "true". I believe the "HTML-encoding"

    would
    >also require server side code, which would similarly bomb. Correct? Am I
    >missing something here? (very likely)
    >
    >Thanks again.
    >
    >Mark
    >
    >"Jim Cheshire [MSFT]" <> wrote in message
    >news:...
    >> Mark,
    >>
    >> We recommend that you not do this unless you pair it with writing some

    >code
    >> of your own to validate the request. In most cases, you can easily leave
    >> validateRequest enabled in these circumstances by simply HTML-encoding

    the
    >> data you are entering into the Textbox control.
    >>
    >> Jim Cheshire [MSFT]
    >> MCP+I, MCSE, MCSD, MCDBA
    >> Microsoft Developer Support
    >>
    >>
    >> This post is provided "AS-IS" with no warranties and confers no rights.
    >>
    >> --------------------
    >> >From: "Steve Flitcroft" <>
    >> >References: <>

    >> <>
    >> <>
    >> >Subject: Re: <> tags typed into a asp.net textbox
    >> >Date: Mon, 9 Aug 2004 16:59:41 +0100
    >> >Lines: 56
    >> >X-Priority: 3
    >> >X-MSMail-Priority: Normal
    >> >X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
    >> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
    >> >Message-ID: <Oe$>
    >> >Newsgroups: microsoft.public.dotnet.framework.aspnet
    >> >NNTP-Posting-Host: 62-249-220-208.no-dns-yet.enta.net 62.249.220.208
    >> >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
    >> >Xref: cpmsftngxa06.phx.gbl

    >microsoft.public.dotnet.framework.aspnet:253142
    >> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
    >> >
    >> >Nope just allows any tags to be input on forms without erroring
    >> >Doesnt stop any of the other validators
    >> >"Mark" <> wrote in message
    >> >news:...
    >> >> Great idea. However, does this render all Validation controls

    >useless?
    >> >> Like a Required Field Validator or similar?
    >> >>
    >> >> Thanks again.
    >> >>
    >> >> Mark
    >> >>
    >> >> "Shiva" <> wrote in message
    >> >> news:...
    >> >> > Hi,
    >> >> > This is a security measure implemented in ASP.NET (1.1) to avoid
    >> >> > script-injections. If you want to turn this off, add
    >> >> validateRequest="false"
    >> >> > to the <@Page > directive on the page.
    >> >> >
    >> >> > To disable for the whole app, have this in your web.config (inside
    >> >> > <configuration></configuration>):
    >> >> >
    >> >> > <system.web>
    >> >> > <pages validateRequest="false" />
    >> >> > </system.web>
    >> >> >
    >> >> > HTH.
    >> >> >
    >> >> > "Mark" <> wrote in message
    >> >> > news:...
    >> >> > We have a multi-line textbox that users copy and paste email text

    >into.
    >> >> The
    >> >> > pasted text frequently will contain a tag like <> or
    >> >similar.
    >> >> I
    >> >> > believe .NET is protecting itself from code injection by throwing a
    >> >global
    >> >> > error when this occurs. The exception message is pasted below.
    >> >> >
    >> >> > We will NOT be able to train our users to eliminate all <> tags.

    >> What's
    >> >> the
    >> >> > best way to deal with this issue?
    >> >> >
    >> >> > Thanks in advance.
    >> >> >
    >> >> > Mark
    >> >> >
    >> >> > EXCEPTION MESSAGE: A potentially dangerous Request.Form value was
    >> >> > detected from the client (txtNote="<> ").
    >> >> >
    >> >> >
    >> >> >
    >> >>
    >> >>
    >> >
    >> >
    >> >

    >>

    >
    >
    >
    Jim Cheshire [MSFT], Aug 10, 2004
    #8
  9. Mark

    Oytun YILMAZ Guest

    On Mon, 9 Aug 2004 10:32:52 -0500, Mark wrote:

    > We have a multi-line textbox that users copy and paste email text into. The
    > pasted text frequently will contain a tag like <> or similar. I
    > believe .NET is protecting itself from code injection by throwing a global
    > error when this occurs. The exception message is pasted below.
    >
    > We will NOT be able to train our users to eliminate all <> tags. What's the
    > best way to deal with this issue?
    >
    > Thanks in advance.
    >
    > Mark
    >
    > EXCEPTION MESSAGE: A potentially dangerous Request.Form value was
    > detected from the client (txtNote="<> ").


    Request Validation is an ASP.NET feature, it could be turned off but
    turning off is not recommended.

    for a single page:
    <%@ Page validateRequest="false" %>

    for entire app:
    <configuration>
    <system.web>
    <pages validateRequest="false" />
    </system.web>
    </configuration>



    A good detailed description is at the official site:
    http://www.asp.net/faq/RequestValidation.aspx


    - Oytun YILMAZ
    Oytun YILMAZ, Aug 10, 2004
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ersin Gençtürk
    Replies:
    1
    Views:
    3,479
    Ersin Gençtürk
    Oct 6, 2004
  2. Mad Bull
    Replies:
    3
    Views:
    384
    Rob Meade
    Jul 20, 2006
  3. Yingjie Lan
    Replies:
    4
    Views:
    300
    John Nagle
    Jan 29, 2010
  4. ald
    Replies:
    3
    Views:
    175
    Axel Dahmen
    Dec 21, 2003
  5. ErwinP
    Replies:
    1
    Views:
    737
    ErwinP
    Aug 19, 2005
Loading...

Share This Page