Yesterday, I was working in CMS engine in asp.net where I had to allow user to format the content in Rich Text Editors using Tiny Mice editor. but when I click on submit button asp.net raised an exception for “A potentially dangerous Request.Form value was detected from the client”.
Error:
Server Error in ‘ASP.Net’ Application.
A potentially dangerous Request.Form value was detected from the client (txtContent.Text=”<p>Hello</p>”).
Exception Details:
System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (TextBox1=”<p>Hello</p>”).
Description:
Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.
Cause:
ASP.Net By default validates all input controls for potentially unsafe contents that can lead to Cross Site Scripting and SQL Injections. Thus it disallows such content by throwing the above Exception. By default it is recommended to allow this check to happen on each postback.
Solution:
To make it working as per above scenario we need to set the ValidateRequest attribute as “false” to disbale the validation request for the page. There is two way to do it as follows.
1. Page level using page directive:
We can disable ValidateRequest by settings the attribute value in page directive.
<%@ Page Language=”C#” AutoEventWireup=”true” ValidateRequest = “false”
or
<pages validateRequest =”false” />
2. Globally using Web.config:
Instead of disabling ValidateRequest page wise we can disable it globally by mentioned the attribute in web.config file.
<system.web>
<page ValidateRequest = “false”/>
<!– Following extra setting require only for .net framework 4.0 or above –>
<httpRuntime requestValidationMode = “2.0” />
</system.web>
Alternate Solution (Encoding the content):
Unless you actually need users to be able to enter HTML, you must convert the string to its HTML encoding equivalent – basically this means that certain characters (like “<“) are converted to codes (so “<” is converted to “<”, etc). To perform this conversion use HttpUtility.HtmlEncode,
for example:
txtContent.Text = HttpUtility.HtmlEncode(MyTextBox.Text)
Friendly Error Message:
If you want to make the user ensure that the content does not contain dangerous value you can use your own validator.
<asp:RegularExp<b></b>ressionValidator runat=”server” ControlToValidate=”textbox” ValidationExp<b></b>ression=”^[\w]+$” ErrorMessage=”Use only alphanumeric characters” />
Remember:
When disabling the validation request on the page make sure to validate all input from that page.
When disabling the request validation on the application make sure to validate the entire application.
Important
The examples are just to illustrate the given solution, remember to validate as well at the server side.