HTML not accepted in datagrid update modules

[.Net Sports]

I'm trying to insert HTML elements (tags like <br> , or even links tags
<a href> etc) into a datagrid module that updates articles in sql
dbase. The actual field "articletext" that contains the content for the
article is configured in the datagrid as such below:

<asp:TemplateColumn headertext="Article Text">
<ItemTemplate>
<%# DataBinder.Eval(Container.DataItem, "ArticleText") %>
</ItemTemplate>
<EditItemTemplate>

<asp:TextBox id="ArticleText" runat="server" Height="250px"
TextMode="MultiLine" text='<%# DataBinder.Eval(Container.DataItem,
"ArticleText") %>' ></asp:TextBox>
</EditItemTemplate> </asp:TemplateColumn>

works fine when submitting regular text, but get this error when adding
html:

A potentially dangerous Request.Form value was detected from the client
(MyDataGrid:_ctl6:ArticleText="...7TH GAME!!<br> Welcome to o...").

???? .NetSports

 

[vMike]

I'm trying to insert HTML elements (tags like <br> , or even links tags
<a href> etc) into a datagrid module that updates articles in sql
dbase. The actual field "articletext" that contains the content for the
article is configured in the datagrid as such below:

<asp:TemplateColumn headertext="Article Text">
<ItemTemplate>
<%# DataBinder.Eval(Container.DataItem, "ArticleText") %>
</ItemTemplate>
<EditItemTemplate>

Take a look at ValidateRequest in the @Page directive. There are precautions
you must take also, so be sure to follow them.
Mike

 

[.Net Sports]

I was able to adjust the @Page directive with this, thanks!

 

[vMike]

I was able to adjust the @Page directive with this, thanks!

Be sure to use server.htmlencode or some other method to handle anything
malicious unless you are sure of the source. This is from the .net SDK ...
Note This example will only work if you disable request validation in
the page by adding the @ Page attribute ValidateRequest="false". Never
disable request validation without adding your own check or filter.


Mike