nauman_ahmed
asked on
Handling "A potentially dangerous Request.Form value was detected from the client" exception without setting validateRequest property to false
Hi experts!,
How can the exception "A potentially dangerous Request.Form value was detected from the client" be handled without setting the validateRequest to falsein the page directive or in the web.config file? Any suggestions?
Thanks, Nauman.
How can the exception "A potentially dangerous Request.Form value was detected from the client" be handled without setting the validateRequest to falsein the page directive or in the web.config file? Any suggestions?
Thanks, Nauman.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
One more way to go, change the setting in page level (in the @page directive). Other than that, handle in global error is the only option left.
Oops..didn't read carefully your question. But I'm still with the same suggestion, handle it in global.asax's Application_Error event. Not a graceful approach, but that's the only option left.
ASKER
Thanks for the answers :)
dharmesh:
I have added the following lines in the InitializeComponent() method:
this.Error +=new EventHandler(WebForm1_Erro r);
private void WebForm1_Error(object sender, EventArgs e)
{
Response.Write(e.ToString( ));
}
However, the exception is still being thrown.
JHenry:
What I have to add in the Global.asax to prevent the application from crashing due to this error?
Thanks, Nauman.
dharmesh:
I have added the following lines in the InitializeComponent() method:
this.Error +=new EventHandler(WebForm1_Erro
private void WebForm1_Error(object sender, EventArgs e)
{
Response.Write(e.ToString(
}
However, the exception is still being thrown.
JHenry:
What I have to add in the Global.asax to prevent the application from crashing due to this error?
Thanks, Nauman.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am able to handle that somehow on client side using javascript before the request is submitted:
function ClearHtmlTags()
{
for(var i=0;i<document.forms[0].el ements.len gth;i++)
{
if (document.forms[0].element s[i].type == "text" || document.forms[0].elements [i].type == "textarea")
{
if (document.forms[0].element s[i].value .indexOf(" <") >= 0)
{
do
{
document.forms[0][i].value = document.forms[0].elements [i].value. replace("< ","<")
}
while (document.forms[0].element s[i].value .indexOf(" <") >= 0);
}
if (document.forms[0].element s[i].value .indexOf(" >") >= 0)
{
do
{
document.forms[0][i].value = document.forms[0].elements [i].value. replace("> ",">")
}
while (document.forms[0].element s[i].value .indexOf(" >") >= 0);
}
}
}
}
<form id="Form1" method="post" runat="server" onsubmit="javascript:Clear HtmlTags() ;">
Its working fine now :)
Any idea how I can restrict a textbox so that it doesnt accept the < and > signs?
Thanks, Nauman.
function ClearHtmlTags()
{
for(var i=0;i<document.forms[0].el
{
if (document.forms[0].element
{
if (document.forms[0].element
{
do
{
document.forms[0][i].value
}
while (document.forms[0].element
}
if (document.forms[0].element
{
do
{
document.forms[0][i].value
}
while (document.forms[0].element
}
}
}
}
<form id="Form1" method="post" runat="server" onsubmit="javascript:Clear
Its working fine now :)
Any idea how I can restrict a textbox so that it doesnt accept the < and > signs?
Thanks, Nauman.
I hope praneetha's code could help you on this :o)
https://www.experts-exchange.com/questions/21368609/Client-Side-Validation-does-not-work.html
https://www.experts-exchange.com/questions/21368609/Client-Side-Validation-does-not-work.html
:o) I didn't know you don't actually need to take html tags from user input, in this case using client-side script and still have the validateRequest set to true shouldn't be a problem. But this malicious content could come not just from textbox or text area. It also can come in from cookie or http headers, so if you don't like to see that error message you still have to handle that in the global error event.
You also need to clear the error.
Server.ClearError in your WebForm1_Error otherwise the error will still propagate to the top and will have the effect as if the error was not handled.
Server.ClearError in your WebForm1_Error otherwise the error will still propagate to the top and will have the effect as if the error was not handled.
But I think its a good idea to avoid the error in the first place with the code you posted.
ASKER
Actually JavaScript has done the trick. If I need to display the HTML code, I can easily use Server.HtmlDecode() to translate the relevant <> codes.
Thanks for the help :)
-Nauman.
Thanks for the help :)
-Nauman.