Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

A potentially dangerous Request.Form value was detected from the client

Posted on 2004-08-13
13
Medium Priority
?
610 Views
Last Modified: 2008-02-01
Hi,

I have a simple web-based admin tool to enter data into a database.  ASP.NET does not allow me to enter HTML code in a TextBox of a WebForm.  I understand how this is a good security measure, but my client would like to be able to enter simple HTML for text formatting in the admin area of the application.  How can I disable this default security feature for the web-based administration application?

When I try to submit a WebForm with HTML in one or more TextBoxes, I get this error:

A potentially dangerous Request.Form value was detected from the client

Any help would be appreciated.
0
Comment
Question by:JasonRichard
  • 4
  • 4
  • 3
  • +1
13 Comments
 
LVL 25

Expert Comment

by:nauman_ahmed
ID: 11793927
If you trust the request than in the @Page directive add this statment:

validateRequest=false

Best, Nauman
0
 
LVL 25

Accepted Solution

by:
nauman_ahmed earned 2000 total points
ID: 11793944
To be more specific:

<@Page validateRequest="false" ... >

Best, Nauman
0
 
LVL 17

Expert Comment

by:AerosSaga
ID: 11793994
be aware that this will disable all validation on said page, but its the only way to allow embedded HTML as ASP.NET detects this as a XSS vulnerability.

Regards,

Aeros
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 15

Expert Comment

by:Thogek
ID: 11796409
More information about ValidateRequest (and other @Page attributes) is at http://msdn.microsoft.com/library/en-us/cpgenref/html/cpconpage.asp
0
 

Author Comment

by:JasonRichard
ID: 11797054
Setting ValidateRequest=false, seems to do the trick.  

Aeros, you said "be aware that this will disable all validation on said page...".

Are you talking about validation controls placed on the WebForm as well, or did you just mean that all controls on the page will be able to accept scripts?  I thought you meant that any type of validation would not work, and it doesn't seem to interfere with the client side validation generated by the Validation controls (RequiredFieldValidator, RegularExpressionValidator...).

Thanks for your help.
0
 
LVL 15

Expert Comment

by:Thogek
ID: 11797399
The discussion of ValidateRequest (and other @Page attributes) at http://msdn.microsoft.com/library/en-us/cpgenref/html/cpconpage.asp might answer your question.

This has to do with a feature in which "request validation checks all input data against a hard-coded list of potentially dangerous values" -- which appears to be completely distinct from programmatic form validation such as via ASP.NET validation controls.
0
 
LVL 17

Expert Comment

by:AerosSaga
ID: 11797863
That is correct JasonRichard, it disables all validation.  This is an all or none deal, I had to do this for a client because they use html markup for item descriptions, against my will I did.  All entries will be unvalidated.  I just want you to understand what you are doing.

Regards,

Aeros
0
 
LVL 15

Expert Comment

by:Thogek
ID: 11798615
AerosSaga,
Are you sure that @Page ValidateRequest="false" also disables form vaildation controls?  I don't see any mention of that in MSDN's treatment of ValidateRequest="false"
    http://msdn.microsoft.com/library/en-us/cpgenref/html/cpconpage.asp
    http://msdn.microsoft.com/library/en-us/vbcon/html/vbtskprotectingagainstscriptexploitsinwebapplication.asp
or the validation controls
    http://msdn.microsoft.com/library/en-us/cpref/html/frlrfsystemwebuiwebcontrolsbasevalidatorclasstopic.asp

I haven't experimented with it myself...
0
 
LVL 17

Expert Comment

by:AerosSaga
ID: 11799766
how else would it know which to controls you mean to not validate?  You are turning all a validation off for that page!
0
 
LVL 15

Expert Comment

by:Thogek
ID: 11802654
The discussion of ValidateRequest="false" that I see at http://msdn.microsoft.com/library/en-us/cpgenref/html/cpconpage.asp appears to have nothing to do with Validation controls at all.  It has to do with validating "all input data against a hard-coded list of potentially dangerous values"by ASP.NET -- which sounds to me like a different and distinct stage of validation that the use of specific Validation controls within the page, and a stage that occurs regardless of whether any such Validation controls exist on the page.

Has anyone actually tested the use of a few regular Validation controls on a page that has ValidateRequest="false"?
0
 

Author Comment

by:JasonRichard
ID: 11811086
Q: Has anyone actually tested the use of a few regular Validation controls on a page that has ValidateRequest="false"?

A: Yes I have.  Setting <%@ Page ValidateRequest="false"... does not appear to interfere with ValidationControls such as RequiredFieldValidator, RegularExpressionValidator, and so on.  I need to do further testing, but all ValidationControls on my WebForm still function the same as they did before I set ValidateRequest to false.

I would say that setting ValidateRequest to false disables validation against .NET's predefined values, but does not interfere with ValidationControls.

I'm going to leave this question open for a little while longer before awarding the points incase anyone has something more to add. Thank you everybody for helping me out.

JasonRichard
0
 
LVL 17

Expert Comment

by:AerosSaga
ID: 11811129
let me apoligize for misinforming you then JasonRichard.
0
 

Author Comment

by:JasonRichard
ID: 11821308
No problem AerosSaga, it made for a good discussion.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article discusses the ASP.NET AJAX ModalPopupExtender control. In this article we will show how to use the ModalPopupExtender control, how to display/show/call the ASP.NET AJAX ModalPopupExtender control from javascript, how to show/display/cal…
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Screencast - Getting to Know the Pipeline
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question