July 27, 2011

A potentially dangerous Request.Form value was detected from the client (txtInput=
").

One of my students asked that below error comes when trying to i/p some HTML elements in the textbox or textarea

A potentially dangerous Request.Form value was detected from the client (txtInput="<br />"). 
Description: 
Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. 



Solution:



1.)To avoid this problem and allow HTML tags in TextBox control you need to change ValidateRequest of Page directive to false. You can do it like in code bellow:
<%@ Page Language="C#" AutoEventWireup="false" CodeFile="Default.aspx.cs"ValidateRequest="false" Inherits="_Default" %>

After this change, your application will accept every input, including HTML tags.

Above Solution is dangerous as There is no validation for the data and it is vulnerable to attack with outside scripts and code.
if we want to just disable the validation for one textbox control that is what not possible in ASP.NET
So to make this validation disable just for one control below Java  Script code I have written 


Default.aspx

<%@ Page Language="C#" AutoEventWireup="true" ValidateRequest ="true"  CodeFile="Default.aspx.cs" Inherits="_Default" %>


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head  runat="server">
    <title></title>
    <script language="javascript" type ="text/javascript">
        function encodeData() {
            alert("come");
            var obj = document.getElementById("txtInput");
            alert(obj);
               alert(obj.value)
               var toEncode = obj.value;
               document.getElementById("txtInput").value = toEncode.replace(/&/gi, '&amp;').replace(/\"/gi, '&quot;').replace(/</gi, '&lt;').replace(/>/gi, '&gt;');
               alert(document.getElementById("txtInput").value);


        }
         </script>
</head>
   <body>
      <form id="Form1" runat="server">
         


         <asp:TextBox Runat="server" ID="txtInput" TextMode="MultiLine" Columns="50" Rows="10"/>
         <asp:Button Runat="server" ID="btnSubmit" Text="Submit" OnClientClick ="encodeData();"   OnClick="btnSubmit_Click"/>
         <br/>
         <asp:Literal Runat="server" ID="SeeOutPut" />
         <asp:Label ID="justShow" runat ="server" ></asp:Label>
      </form>
   </body>
</html> 




Default.aspx.cs

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;


public partial class _Default : System.Web.UI.Page 
{
    protected void Page_Load(object sender, EventArgs e)
    {
        if (!Page.IsPostBack)
        {
        }
    }


    protected void btnSubmit_Click(object sender, EventArgs e)
    {
        SeeOutPut.Text = Server.HtmlDecode(txtInput.Text);
        txtInput.Text = Server.HtmlDecode(txtInput.Text);
        justShow.Text = Server.HtmlDecode(txtInput.Text);
    }
}

No comments:

Post a Comment