Errors when adding HTML in a textbox

[Guest]

I have an .aspx page with a textbox on it, and whenever a users tries to submit some HTML type code it generates an unhandled exception error for it being "A potentially dangerous Request.Form value". I think it's doing this as an automatic safe guard against cross-site scripting, but what can I do to handle it so the user doesn't get the lovely red and yellow error page?

I tried putting the submit in a try...catch block, but it doesn't appear to be running the try...catch before it brings up the page. Can somebody please help with this?

Thanks,
Jeremy

 

[Chad McCune]

Hello Jeremy...see this reference in MSDN help

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgenref/html/cpconpage.asp

See the section about the ValidateRequest attribute

hth,
Chad McCune, MCSE, MCDBA

I have an .aspx page with a textbox on it, and whenever a users tries to

submit some HTML type code it generates an unhandled exception error for it
being "A potentially dangerous Request.Form value". I think it's doing this
as an automatic safe guard against cross-site scripting, but what can I do
to handle it so the user doesn't get the lovely red and yellow error page?

I tried putting the submit in a try...catch block, but it doesn't appear

to be running the try...catch before it brings up the page. Can somebody
please help with this?

 

[Steve C. Orr [MVP, MCSD]]

One of the enhancements in 1.1 is the new "ValidateRequest" feature that
provides automatic detection and blocking of
suspicious looking data. This is a feature to prevent HTML injection and
other such attacks.
Here's more info:
http://weblogs.asp.net/vga/archive/2003/05/02/6329.aspx
http://www.asp.net/faq/RequestValidation.aspx
http://groups.google.com/groups?q="[email protected]&rnum=1

--
I hope this helps,
Steve C. Orr, MCSD, MVP
http://Steve.Orr.net

I have an .aspx page with a textbox on it, and whenever a users tries to

submit some HTML type code it generates an unhandled exception error for it
being "A potentially dangerous Request.Form value". I think it's doing this
as an automatic safe guard against cross-site scripting, but what can I do
to handle it so the user doesn't get the lovely red and yellow error page?

I tried putting the submit in a try...catch block, but it doesn't appear

to be running the try...catch before it brings up the page. Can somebody
please help with this?

 

[Guest]

Thanks for your help, I didn't realize that it was a new "feature" of 1.1. I had heard the MS was going to automatically turn on security type features, but I wasn't sure exactly what they were going to do

My form is submitting data to a database and I'm using some validator controls to ensure some of the fields are dates, so do I need to Server.HtmlEncode my date fields when I submit? Also, should I HtmlDecode the fields I encode when I display the information in a label

Thanks for your help
Jeremy

 

[Guest]

Thanks for the reference Chad. It sure helps in understanding all this stuff

Jeremy

 

[Steve C. Orr [MVP, MCSD]]

A couple short and simple tests should lead you to these answers yourself.
Just try it and see.

--
I hope this helps,
Steve C. Orr, MCSD, MVP
http://Steve.Orr.net

Thanks for your help, I didn't realize that it was a new "feature" of 1.1.

I had heard the MS was going to automatically turn on security type
features, but I wasn't sure exactly what they were going to do.

My form is submitting data to a database and I'm using some validator

controls to ensure some of the fields are dates, so do I need to
Server.HtmlEncode my date fields when I submit? Also, should I HtmlDecode
the fields I encode when I display the information in a label?

 

[Guest]

Yeah, I agree. After thinking about this I don't think this type of question could be given a straight forward answer. It's my application with its own set of requirements and what might work well for some situations won't work well for others. Plus it's hard to tell what other people really need in their application when you're giving out advice

Thanks for the hel
Jeremy