Solved

A potentially dangerous Request.Form value was detected from the client

Posted on 2004-08-13
13
582 Views
Last Modified: 2008-02-01
Hi,

I have a simple web-based admin tool to enter data into a database.  ASP.NET does not allow me to enter HTML code in a TextBox of a WebForm.  I understand how this is a good security measure, but my client would like to be able to enter simple HTML for text formatting in the admin area of the application.  How can I disable this default security feature for the web-based administration application?

When I try to submit a WebForm with HTML in one or more TextBoxes, I get this error:

A potentially dangerous Request.Form value was detected from the client

Any help would be appreciated.
0
Comment
Question by:JasonRichard
  • 4
  • 4
  • 3
  • +1
13 Comments
 
LVL 25

Expert Comment

by:nauman_ahmed
ID: 11793927
If you trust the request than in the @Page directive add this statment:

validateRequest=false

Best, Nauman
0
 
LVL 25

Accepted Solution

by:
nauman_ahmed earned 500 total points
ID: 11793944
To be more specific:

<@Page validateRequest="false" ... >

Best, Nauman
0
 
LVL 17

Expert Comment

by:AerosSaga
ID: 11793994
be aware that this will disable all validation on said page, but its the only way to allow embedded HTML as ASP.NET detects this as a XSS vulnerability.

Regards,

Aeros
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 15

Expert Comment

by:Thogek
ID: 11796409
More information about ValidateRequest (and other @Page attributes) is at http://msdn.microsoft.com/library/en-us/cpgenref/html/cpconpage.asp
0
 

Author Comment

by:JasonRichard
ID: 11797054
Setting ValidateRequest=false, seems to do the trick.  

Aeros, you said "be aware that this will disable all validation on said page...".

Are you talking about validation controls placed on the WebForm as well, or did you just mean that all controls on the page will be able to accept scripts?  I thought you meant that any type of validation would not work, and it doesn't seem to interfere with the client side validation generated by the Validation controls (RequiredFieldValidator, RegularExpressionValidator...).

Thanks for your help.
0
 
LVL 15

Expert Comment

by:Thogek
ID: 11797399
The discussion of ValidateRequest (and other @Page attributes) at http://msdn.microsoft.com/library/en-us/cpgenref/html/cpconpage.asp might answer your question.

This has to do with a feature in which "request validation checks all input data against a hard-coded list of potentially dangerous values" -- which appears to be completely distinct from programmatic form validation such as via ASP.NET validation controls.
0
 
LVL 17

Expert Comment

by:AerosSaga
ID: 11797863
That is correct JasonRichard, it disables all validation.  This is an all or none deal, I had to do this for a client because they use html markup for item descriptions, against my will I did.  All entries will be unvalidated.  I just want you to understand what you are doing.

Regards,

Aeros
0
 
LVL 15

Expert Comment

by:Thogek
ID: 11798615
AerosSaga,
Are you sure that @Page ValidateRequest="false" also disables form vaildation controls?  I don't see any mention of that in MSDN's treatment of ValidateRequest="false"
    http://msdn.microsoft.com/library/en-us/cpgenref/html/cpconpage.asp
    http://msdn.microsoft.com/library/en-us/vbcon/html/vbtskprotectingagainstscriptexploitsinwebapplication.asp
or the validation controls
    http://msdn.microsoft.com/library/en-us/cpref/html/frlrfsystemwebuiwebcontrolsbasevalidatorclasstopic.asp

I haven't experimented with it myself...
0
 
LVL 17

Expert Comment

by:AerosSaga
ID: 11799766
how else would it know which to controls you mean to not validate?  You are turning all a validation off for that page!
0
 
LVL 15

Expert Comment

by:Thogek
ID: 11802654
The discussion of ValidateRequest="false" that I see at http://msdn.microsoft.com/library/en-us/cpgenref/html/cpconpage.asp appears to have nothing to do with Validation controls at all.  It has to do with validating "all input data against a hard-coded list of potentially dangerous values"by ASP.NET -- which sounds to me like a different and distinct stage of validation that the use of specific Validation controls within the page, and a stage that occurs regardless of whether any such Validation controls exist on the page.

Has anyone actually tested the use of a few regular Validation controls on a page that has ValidateRequest="false"?
0
 

Author Comment

by:JasonRichard
ID: 11811086
Q: Has anyone actually tested the use of a few regular Validation controls on a page that has ValidateRequest="false"?

A: Yes I have.  Setting <%@ Page ValidateRequest="false"... does not appear to interfere with ValidationControls such as RequiredFieldValidator, RegularExpressionValidator, and so on.  I need to do further testing, but all ValidationControls on my WebForm still function the same as they did before I set ValidateRequest to false.

I would say that setting ValidateRequest to false disables validation against .NET's predefined values, but does not interfere with ValidationControls.

I'm going to leave this question open for a little while longer before awarding the points incase anyone has something more to add. Thank you everybody for helping me out.

JasonRichard
0
 
LVL 17

Expert Comment

by:AerosSaga
ID: 11811129
let me apoligize for misinforming you then JasonRichard.
0
 

Author Comment

by:JasonRichard
ID: 11821308
No problem AerosSaga, it made for a good discussion.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently went through the process of creating a Calendar Control of events with the basis of using a database to keep track of the dates that are selectable, one requirement was to have the selected date pop-up in a simple lightbox.  At first this…
It was really hard time for me to get the understanding of Delegates in C#. I went through many websites and articles but I found them very clumsy. After going through those sites, I noted down the points in a easy way so here I am sharing that unde…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question