Solved

A potentially dangerous Request.Form value was detected from the client

Posted on 2004-08-13
13
591 Views
Last Modified: 2008-02-01
Hi,

I have a simple web-based admin tool to enter data into a database.  ASP.NET does not allow me to enter HTML code in a TextBox of a WebForm.  I understand how this is a good security measure, but my client would like to be able to enter simple HTML for text formatting in the admin area of the application.  How can I disable this default security feature for the web-based administration application?

When I try to submit a WebForm with HTML in one or more TextBoxes, I get this error:

A potentially dangerous Request.Form value was detected from the client

Any help would be appreciated.
0
Comment
Question by:JasonRichard
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
  • +1
13 Comments
 
LVL 25

Expert Comment

by:nauman_ahmed
ID: 11793927
If you trust the request than in the @Page directive add this statment:

validateRequest=false

Best, Nauman
0
 
LVL 25

Accepted Solution

by:
nauman_ahmed earned 500 total points
ID: 11793944
To be more specific:

<@Page validateRequest="false" ... >

Best, Nauman
0
 
LVL 17

Expert Comment

by:AerosSaga
ID: 11793994
be aware that this will disable all validation on said page, but its the only way to allow embedded HTML as ASP.NET detects this as a XSS vulnerability.

Regards,

Aeros
0
Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

 
LVL 15

Expert Comment

by:Thogek
ID: 11796409
More information about ValidateRequest (and other @Page attributes) is at http://msdn.microsoft.com/library/en-us/cpgenref/html/cpconpage.asp
0
 

Author Comment

by:JasonRichard
ID: 11797054
Setting ValidateRequest=false, seems to do the trick.  

Aeros, you said "be aware that this will disable all validation on said page...".

Are you talking about validation controls placed on the WebForm as well, or did you just mean that all controls on the page will be able to accept scripts?  I thought you meant that any type of validation would not work, and it doesn't seem to interfere with the client side validation generated by the Validation controls (RequiredFieldValidator, RegularExpressionValidator...).

Thanks for your help.
0
 
LVL 15

Expert Comment

by:Thogek
ID: 11797399
The discussion of ValidateRequest (and other @Page attributes) at http://msdn.microsoft.com/library/en-us/cpgenref/html/cpconpage.asp might answer your question.

This has to do with a feature in which "request validation checks all input data against a hard-coded list of potentially dangerous values" -- which appears to be completely distinct from programmatic form validation such as via ASP.NET validation controls.
0
 
LVL 17

Expert Comment

by:AerosSaga
ID: 11797863
That is correct JasonRichard, it disables all validation.  This is an all or none deal, I had to do this for a client because they use html markup for item descriptions, against my will I did.  All entries will be unvalidated.  I just want you to understand what you are doing.

Regards,

Aeros
0
 
LVL 15

Expert Comment

by:Thogek
ID: 11798615
AerosSaga,
Are you sure that @Page ValidateRequest="false" also disables form vaildation controls?  I don't see any mention of that in MSDN's treatment of ValidateRequest="false"
    http://msdn.microsoft.com/library/en-us/cpgenref/html/cpconpage.asp
    http://msdn.microsoft.com/library/en-us/vbcon/html/vbtskprotectingagainstscriptexploitsinwebapplication.asp
or the validation controls
    http://msdn.microsoft.com/library/en-us/cpref/html/frlrfsystemwebuiwebcontrolsbasevalidatorclasstopic.asp

I haven't experimented with it myself...
0
 
LVL 17

Expert Comment

by:AerosSaga
ID: 11799766
how else would it know which to controls you mean to not validate?  You are turning all a validation off for that page!
0
 
LVL 15

Expert Comment

by:Thogek
ID: 11802654
The discussion of ValidateRequest="false" that I see at http://msdn.microsoft.com/library/en-us/cpgenref/html/cpconpage.asp appears to have nothing to do with Validation controls at all.  It has to do with validating "all input data against a hard-coded list of potentially dangerous values"by ASP.NET -- which sounds to me like a different and distinct stage of validation that the use of specific Validation controls within the page, and a stage that occurs regardless of whether any such Validation controls exist on the page.

Has anyone actually tested the use of a few regular Validation controls on a page that has ValidateRequest="false"?
0
 

Author Comment

by:JasonRichard
ID: 11811086
Q: Has anyone actually tested the use of a few regular Validation controls on a page that has ValidateRequest="false"?

A: Yes I have.  Setting <%@ Page ValidateRequest="false"... does not appear to interfere with ValidationControls such as RequiredFieldValidator, RegularExpressionValidator, and so on.  I need to do further testing, but all ValidationControls on my WebForm still function the same as they did before I set ValidateRequest to false.

I would say that setting ValidateRequest to false disables validation against .NET's predefined values, but does not interfere with ValidationControls.

I'm going to leave this question open for a little while longer before awarding the points incase anyone has something more to add. Thank you everybody for helping me out.

JasonRichard
0
 
LVL 17

Expert Comment

by:AerosSaga
ID: 11811129
let me apoligize for misinforming you then JasonRichard.
0
 

Author Comment

by:JasonRichard
ID: 11821308
No problem AerosSaga, it made for a good discussion.
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Just a quick little trick I learned recently.  Now that I'm using jQuery with abandon in my asp.net applications, I have grown tired of the following syntax:      (CODE) I suppose it just offends my sense of decency to put inline VBScript on a…
One of the pain points with developing AJAX, JavaScript, JQuery, and other client-side behaviors is that JavaScript doesn’t allow for cross domain request for pulling content. For example, JavaScript code on www.johnchapman.name could not pull conte…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question