Solved

A potentially dangerous Request.Form value was detected from the client

Posted on 2004-08-13
13
568 Views
Last Modified: 2008-02-01
Hi,

I have a simple web-based admin tool to enter data into a database.  ASP.NET does not allow me to enter HTML code in a TextBox of a WebForm.  I understand how this is a good security measure, but my client would like to be able to enter simple HTML for text formatting in the admin area of the application.  How can I disable this default security feature for the web-based administration application?

When I try to submit a WebForm with HTML in one or more TextBoxes, I get this error:

A potentially dangerous Request.Form value was detected from the client

Any help would be appreciated.
0
Comment
Question by:JasonRichard
  • 4
  • 4
  • 3
  • +1
13 Comments
 
LVL 25

Expert Comment

by:nauman_ahmed
Comment Utility
If you trust the request than in the @Page directive add this statment:

validateRequest=false

Best, Nauman
0
 
LVL 25

Accepted Solution

by:
nauman_ahmed earned 500 total points
Comment Utility
To be more specific:

<@Page validateRequest="false" ... >

Best, Nauman
0
 
LVL 17

Expert Comment

by:AerosSaga
Comment Utility
be aware that this will disable all validation on said page, but its the only way to allow embedded HTML as ASP.NET detects this as a XSS vulnerability.

Regards,

Aeros
0
 
LVL 15

Expert Comment

by:Thogek
Comment Utility
More information about ValidateRequest (and other @Page attributes) is at http://msdn.microsoft.com/library/en-us/cpgenref/html/cpconpage.asp
0
 

Author Comment

by:JasonRichard
Comment Utility
Setting ValidateRequest=false, seems to do the trick.  

Aeros, you said "be aware that this will disable all validation on said page...".

Are you talking about validation controls placed on the WebForm as well, or did you just mean that all controls on the page will be able to accept scripts?  I thought you meant that any type of validation would not work, and it doesn't seem to interfere with the client side validation generated by the Validation controls (RequiredFieldValidator, RegularExpressionValidator...).

Thanks for your help.
0
 
LVL 15

Expert Comment

by:Thogek
Comment Utility
The discussion of ValidateRequest (and other @Page attributes) at http://msdn.microsoft.com/library/en-us/cpgenref/html/cpconpage.asp might answer your question.

This has to do with a feature in which "request validation checks all input data against a hard-coded list of potentially dangerous values" -- which appears to be completely distinct from programmatic form validation such as via ASP.NET validation controls.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 17

Expert Comment

by:AerosSaga
Comment Utility
That is correct JasonRichard, it disables all validation.  This is an all or none deal, I had to do this for a client because they use html markup for item descriptions, against my will I did.  All entries will be unvalidated.  I just want you to understand what you are doing.

Regards,

Aeros
0
 
LVL 15

Expert Comment

by:Thogek
Comment Utility
AerosSaga,
Are you sure that @Page ValidateRequest="false" also disables form vaildation controls?  I don't see any mention of that in MSDN's treatment of ValidateRequest="false"
    http://msdn.microsoft.com/library/en-us/cpgenref/html/cpconpage.asp
    http://msdn.microsoft.com/library/en-us/vbcon/html/vbtskprotectingagainstscriptexploitsinwebapplication.asp
or the validation controls
    http://msdn.microsoft.com/library/en-us/cpref/html/frlrfsystemwebuiwebcontrolsbasevalidatorclasstopic.asp

I haven't experimented with it myself...
0
 
LVL 17

Expert Comment

by:AerosSaga
Comment Utility
how else would it know which to controls you mean to not validate?  You are turning all a validation off for that page!
0
 
LVL 15

Expert Comment

by:Thogek
Comment Utility
The discussion of ValidateRequest="false" that I see at http://msdn.microsoft.com/library/en-us/cpgenref/html/cpconpage.asp appears to have nothing to do with Validation controls at all.  It has to do with validating "all input data against a hard-coded list of potentially dangerous values"by ASP.NET -- which sounds to me like a different and distinct stage of validation that the use of specific Validation controls within the page, and a stage that occurs regardless of whether any such Validation controls exist on the page.

Has anyone actually tested the use of a few regular Validation controls on a page that has ValidateRequest="false"?
0
 

Author Comment

by:JasonRichard
Comment Utility
Q: Has anyone actually tested the use of a few regular Validation controls on a page that has ValidateRequest="false"?

A: Yes I have.  Setting <%@ Page ValidateRequest="false"... does not appear to interfere with ValidationControls such as RequiredFieldValidator, RegularExpressionValidator, and so on.  I need to do further testing, but all ValidationControls on my WebForm still function the same as they did before I set ValidateRequest to false.

I would say that setting ValidateRequest to false disables validation against .NET's predefined values, but does not interfere with ValidationControls.

I'm going to leave this question open for a little while longer before awarding the points incase anyone has something more to add. Thank you everybody for helping me out.

JasonRichard
0
 
LVL 17

Expert Comment

by:AerosSaga
Comment Utility
let me apoligize for misinforming you then JasonRichard.
0
 

Author Comment

by:JasonRichard
Comment Utility
No problem AerosSaga, it made for a good discussion.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Lots of people ask this question on how to extend the “MembershipProvider” to make use of custom authentication like using existing database or make use of some other way of authentication. Many blogs show you how to extend the membership provider c…
I have developed many web applications with asp & asp.net and to add and use a dropdownlist was always a very simple task, but with the new asp.net, setting the value is a bit tricky and its not similar to the old traditional method. So in this a…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now