Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

A potentially dangerous Request.Form value was detected from the client

Posted on 2004-08-13
13
Medium Priority
?
592 Views
Last Modified: 2008-02-01
Hi,

I have a simple web-based admin tool to enter data into a database.  ASP.NET does not allow me to enter HTML code in a TextBox of a WebForm.  I understand how this is a good security measure, but my client would like to be able to enter simple HTML for text formatting in the admin area of the application.  How can I disable this default security feature for the web-based administration application?

When I try to submit a WebForm with HTML in one or more TextBoxes, I get this error:

A potentially dangerous Request.Form value was detected from the client

Any help would be appreciated.
0
Comment
Question by:JasonRichard
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
  • +1
13 Comments
 
LVL 25

Expert Comment

by:nauman_ahmed
ID: 11793927
If you trust the request than in the @Page directive add this statment:

validateRequest=false

Best, Nauman
0
 
LVL 25

Accepted Solution

by:
nauman_ahmed earned 2000 total points
ID: 11793944
To be more specific:

<@Page validateRequest="false" ... >

Best, Nauman
0
 
LVL 17

Expert Comment

by:AerosSaga
ID: 11793994
be aware that this will disable all validation on said page, but its the only way to allow embedded HTML as ASP.NET detects this as a XSS vulnerability.

Regards,

Aeros
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 15

Expert Comment

by:Thogek
ID: 11796409
More information about ValidateRequest (and other @Page attributes) is at http://msdn.microsoft.com/library/en-us/cpgenref/html/cpconpage.asp
0
 

Author Comment

by:JasonRichard
ID: 11797054
Setting ValidateRequest=false, seems to do the trick.  

Aeros, you said "be aware that this will disable all validation on said page...".

Are you talking about validation controls placed on the WebForm as well, or did you just mean that all controls on the page will be able to accept scripts?  I thought you meant that any type of validation would not work, and it doesn't seem to interfere with the client side validation generated by the Validation controls (RequiredFieldValidator, RegularExpressionValidator...).

Thanks for your help.
0
 
LVL 15

Expert Comment

by:Thogek
ID: 11797399
The discussion of ValidateRequest (and other @Page attributes) at http://msdn.microsoft.com/library/en-us/cpgenref/html/cpconpage.asp might answer your question.

This has to do with a feature in which "request validation checks all input data against a hard-coded list of potentially dangerous values" -- which appears to be completely distinct from programmatic form validation such as via ASP.NET validation controls.
0
 
LVL 17

Expert Comment

by:AerosSaga
ID: 11797863
That is correct JasonRichard, it disables all validation.  This is an all or none deal, I had to do this for a client because they use html markup for item descriptions, against my will I did.  All entries will be unvalidated.  I just want you to understand what you are doing.

Regards,

Aeros
0
 
LVL 15

Expert Comment

by:Thogek
ID: 11798615
AerosSaga,
Are you sure that @Page ValidateRequest="false" also disables form vaildation controls?  I don't see any mention of that in MSDN's treatment of ValidateRequest="false"
    http://msdn.microsoft.com/library/en-us/cpgenref/html/cpconpage.asp
    http://msdn.microsoft.com/library/en-us/vbcon/html/vbtskprotectingagainstscriptexploitsinwebapplication.asp
or the validation controls
    http://msdn.microsoft.com/library/en-us/cpref/html/frlrfsystemwebuiwebcontrolsbasevalidatorclasstopic.asp

I haven't experimented with it myself...
0
 
LVL 17

Expert Comment

by:AerosSaga
ID: 11799766
how else would it know which to controls you mean to not validate?  You are turning all a validation off for that page!
0
 
LVL 15

Expert Comment

by:Thogek
ID: 11802654
The discussion of ValidateRequest="false" that I see at http://msdn.microsoft.com/library/en-us/cpgenref/html/cpconpage.asp appears to have nothing to do with Validation controls at all.  It has to do with validating "all input data against a hard-coded list of potentially dangerous values"by ASP.NET -- which sounds to me like a different and distinct stage of validation that the use of specific Validation controls within the page, and a stage that occurs regardless of whether any such Validation controls exist on the page.

Has anyone actually tested the use of a few regular Validation controls on a page that has ValidateRequest="false"?
0
 

Author Comment

by:JasonRichard
ID: 11811086
Q: Has anyone actually tested the use of a few regular Validation controls on a page that has ValidateRequest="false"?

A: Yes I have.  Setting <%@ Page ValidateRequest="false"... does not appear to interfere with ValidationControls such as RequiredFieldValidator, RegularExpressionValidator, and so on.  I need to do further testing, but all ValidationControls on my WebForm still function the same as they did before I set ValidateRequest to false.

I would say that setting ValidateRequest to false disables validation against .NET's predefined values, but does not interfere with ValidationControls.

I'm going to leave this question open for a little while longer before awarding the points incase anyone has something more to add. Thank you everybody for helping me out.

JasonRichard
0
 
LVL 17

Expert Comment

by:AerosSaga
ID: 11811129
let me apoligize for misinforming you then JasonRichard.
0
 

Author Comment

by:JasonRichard
ID: 11821308
No problem AerosSaga, it made for a good discussion.
0

Featured Post

Enroll in September's Course of the Month

This month’s featured course covers 16 hours of training in installation, management, and deployment of VMware vSphere virtualization environments. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently went through the process of creating a Calendar Control of events with the basis of using a database to keep track of the dates that are selectable, one requirement was to have the selected date pop-up in a simple lightbox.  At first this…
Today is the age of broadband.  More and more people are going this route determined to experience the web and it’s multitude of services as quickly and painlessly as possible. Coupled with the move to broadband, people are experiencing the web via …
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question