?
Solved

Handling "A potentially dangerous Request.Form value was detected from the client" exception without setting validateRequest property to false

Posted on 2005-04-25
11
Medium Priority
?
16,934 Views
Last Modified: 2012-06-27
Hi experts!,

How can the exception "A potentially dangerous Request.Form value was detected from the client" be handled without setting the validateRequest  to falsein the page directive or in the web.config file?  Any suggestions?

Thanks, Nauman.
0
Comment
Question by:nauman_ahmed
  • 5
  • 3
  • 3
11 Comments
 
LVL 6

Assisted Solution

by:dharmesh_amity
dharmesh_amity earned 1000 total points
ID: 13858932
You can handle that in Page_Error event.
0
 
LVL 20

Expert Comment

by:ihenry
ID: 13859083
One more way to go, change the setting in page level (in the @page directive). Other than that, handle in global error is the only option left.
0
 
LVL 20

Expert Comment

by:ihenry
ID: 13859147
Oops..didn't read carefully your question. But I'm still with the same suggestion, handle it in global.asax's Application_Error event. Not a graceful approach, but that's the only option left.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 25

Author Comment

by:nauman_ahmed
ID: 13860047
Thanks for the answers :)

dharmesh:

I have added the following lines in the InitializeComponent() method:

this.Error +=new EventHandler(WebForm1_Error);

private void WebForm1_Error(object sender, EventArgs e)
{
   Response.Write(e.ToString());                  

}

However, the exception is still being thrown.

JHenry:

What I have to add in the Global.asax to prevent the application from crashing due to this error?

Thanks, Nauman.
0
 
LVL 20

Accepted Solution

by:
ihenry earned 1000 total points
ID: 13860223
Nauman,
the exception is being thrown from an internal class CrossSiteScriptingValidation which is executing in http module level, that's why you get this error before it reaches anywhere in the webform.

You can use Server.GetLastError() to see if it return an HttpRequestValidationException object and call Server.ClearError() then replace that with your default error page or anything if you'd like.
0
 
LVL 25

Author Comment

by:nauman_ahmed
ID: 13860847
I am able to handle that somehow on client side using javascript before the request is submitted:

function ClearHtmlTags()
            {
                  for(var i=0;i<document.forms[0].elements.length;i++)
                  {
                        if (document.forms[0].elements[i].type == "text" || document.forms[0].elements[i].type == "textarea")
                        {
                              if (document.forms[0].elements[i].value.indexOf("<") >= 0)
                              {
                                    do
                                    {
                                          document.forms[0][i].value = document.forms[0].elements[i].value.replace("<","&lt;")
                                    }
                                    while (document.forms[0].elements[i].value.indexOf("<") >= 0);
                              }
                              
                              if (document.forms[0].elements[i].value.indexOf(">") >= 0)
                              {      
                                    do
                                    {
                                          document.forms[0][i].value = document.forms[0].elements[i].value.replace(">","&gt;")
                                    }
                                    while (document.forms[0].elements[i].value.indexOf(">") >= 0);
                              }
                        }
                  }
            }
<form id="Form1" method="post" runat="server" onsubmit="javascript:ClearHtmlTags();">

Its working fine now :)

Any idea how I can restrict a textbox so that it doesnt accept the < and > signs?

Thanks, Nauman.
0
 
LVL 20

Expert Comment

by:ihenry
ID: 13860950
0
 
LVL 20

Expert Comment

by:ihenry
ID: 13861111
:o) I didn't know you don't actually need to take html tags from user input, in this case using client-side script and still have the validateRequest set to true shouldn't be a problem. But this malicious content could come not just from textbox or text area. It also can come in from cookie or http headers, so if you don't like to see that error message you still have to handle that in the global error event.
0
 
LVL 6

Expert Comment

by:dharmesh_amity
ID: 13861668
You also need to clear the error.

Server.ClearError in your WebForm1_Error otherwise the error will still propagate to the top and will have the effect as if the error was not handled.
0
 
LVL 6

Expert Comment

by:dharmesh_amity
ID: 13861695
But I think its a good idea to avoid the error in the first place with the code you posted.
0
 
LVL 25

Author Comment

by:nauman_ahmed
ID: 13876917
Actually JavaScript has done the trick.  If I need to display the HTML code, I can easily use Server.HtmlDecode() to translate the relevant &lt;&gt; codes.

Thanks for the help :)

-Nauman.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today is the age of broadband.  More and more people are going this route determined to experience the web and it’s multitude of services as quickly and painlessly as possible. Coupled with the move to broadband, people are experiencing the web via …
Problem Hi all,    While many today have fast Internet connection, there are many still who do not, or are connecting through devices with a slower connect, so light web pages and fast load times are still popular.    If your ASP.NET page …
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question