Handling "A potentially dangerous Request.Form value was detected from the client" exception without setting validateRequest property to false

Hi experts!,

How can the exception "A potentially dangerous Request.Form value was detected from the client" be handled without setting the validateRequest  to falsein the page directive or in the web.config file?  Any suggestions?

Thanks, Nauman.
LVL 25
nauman_ahmedAsked:
Who is Participating?
 
ihenryCommented:
Nauman,
the exception is being thrown from an internal class CrossSiteScriptingValidation which is executing in http module level, that's why you get this error before it reaches anywhere in the webform.

You can use Server.GetLastError() to see if it return an HttpRequestValidationException object and call Server.ClearError() then replace that with your default error page or anything if you'd like.
0
 
dharmesh_amityCommented:
You can handle that in Page_Error event.
0
 
ihenryCommented:
One more way to go, change the setting in page level (in the @page directive). Other than that, handle in global error is the only option left.
0
Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

 
ihenryCommented:
Oops..didn't read carefully your question. But I'm still with the same suggestion, handle it in global.asax's Application_Error event. Not a graceful approach, but that's the only option left.
0
 
nauman_ahmedAuthor Commented:
Thanks for the answers :)

dharmesh:

I have added the following lines in the InitializeComponent() method:

this.Error +=new EventHandler(WebForm1_Error);

private void WebForm1_Error(object sender, EventArgs e)
{
   Response.Write(e.ToString());                  

}

However, the exception is still being thrown.

JHenry:

What I have to add in the Global.asax to prevent the application from crashing due to this error?

Thanks, Nauman.
0
 
nauman_ahmedAuthor Commented:
I am able to handle that somehow on client side using javascript before the request is submitted:

function ClearHtmlTags()
            {
                  for(var i=0;i<document.forms[0].elements.length;i++)
                  {
                        if (document.forms[0].elements[i].type == "text" || document.forms[0].elements[i].type == "textarea")
                        {
                              if (document.forms[0].elements[i].value.indexOf("<") >= 0)
                              {
                                    do
                                    {
                                          document.forms[0][i].value = document.forms[0].elements[i].value.replace("<","&lt;")
                                    }
                                    while (document.forms[0].elements[i].value.indexOf("<") >= 0);
                              }
                              
                              if (document.forms[0].elements[i].value.indexOf(">") >= 0)
                              {      
                                    do
                                    {
                                          document.forms[0][i].value = document.forms[0].elements[i].value.replace(">","&gt;")
                                    }
                                    while (document.forms[0].elements[i].value.indexOf(">") >= 0);
                              }
                        }
                  }
            }
<form id="Form1" method="post" runat="server" onsubmit="javascript:ClearHtmlTags();">

Its working fine now :)

Any idea how I can restrict a textbox so that it doesnt accept the < and > signs?

Thanks, Nauman.
0
 
ihenryCommented:
0
 
ihenryCommented:
:o) I didn't know you don't actually need to take html tags from user input, in this case using client-side script and still have the validateRequest set to true shouldn't be a problem. But this malicious content could come not just from textbox or text area. It also can come in from cookie or http headers, so if you don't like to see that error message you still have to handle that in the global error event.
0
 
dharmesh_amityCommented:
You also need to clear the error.

Server.ClearError in your WebForm1_Error otherwise the error will still propagate to the top and will have the effect as if the error was not handled.
0
 
dharmesh_amityCommented:
But I think its a good idea to avoid the error in the first place with the code you posted.
0
 
nauman_ahmedAuthor Commented:
Actually JavaScript has done the trick.  If I need to display the HTML code, I can easily use Server.HtmlDecode() to translate the relevant &lt;&gt; codes.

Thanks for the help :)

-Nauman.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.