A potentially dangerous Request.Form value was detected from the client

J

JJ_377

scenario: textbox that user enters some program code in...
this will cause the above error in the subject of this posting...

How can I deal with this:
Besides a custom error page, is there any way to trap this so that I
can remove the offending item from say, a textbox, and then tell the
user not to enter items in the textbox that will raise this error?

I don't seem to be able to trap the error because none of the usual
page and control events seem to fire when I put offending material in a
textbox (with the page directive validateREquest NOT set to false)

I would really like to keep my validateRequest Not set to false because
of the security advantages...

Thank you.
 
I

intrader

extbox
Click to expand...
Seems to me that you need to validate the Text of the textbox at the
server. The normal behavior is for the validation to occur in both the
client and the server. But when you request so, it is possible to only do
it at the server which is what you want.
However, you have to be very careful as you would have the offending code
in the Text (and this is by design in the server-side DOM) and it is
possible to cause stuff in the DOM to execute (Huge security violation)
 
W

WJ

scenario: textbox that user enters some program code in...
this will cause the above error in the subject of this posting...
Click to expand...
One good way is to noty execute raw SQL script such as "select * from ???".
This means you use parameter. Without this, it would be difficult to detect
user's input.

John
 
J

JJ_377

Thank you.
How do I do that? It looks like I need to validate the textbox in the
changed event...
I was thinking of doing a search/replace on the user's entries for the
usual suspects -- greater than and lesser than signs -- in the changed
event. I suppose it is documented somewhere (msdn) as to precisely
characters .net would find suspicious.
I wish .net would have added some sort of functionality to help us deal
with this...
 
J

JJ_377

Not sure what this is - can you give me an example?
In my case, I'm just updating a recordset (dataset...) with the
contents of a textbox...
thanks!
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

A potentially dangerous Request.Form value was detected from the client 2
potentially dangerous Request.Form value was detected 2
A potentially dangerous Request.Form value was detected... 0
Potentially dangerous Request.Form value for Cancel button Click 1
A potentially dangerous Request.Form value was detected from the client 1
A potentially dangerous Request.Form value was detected from the client 2
Trapping a ' potentially dangerous Request.QueryString value' 1
Localization and Potentially Dangerous Request.Form Values 1

Members online

No members online now.
Total: 35 (members: 1, guests: 34)
Robots: 200

Forum statistics

Threads
473,763
Messages
2,569,562
Members
45,038
Latest member
OrderProperKetocapsules

Latest Threads

Top