Unhandled exception

I am getting the follow execption when I attempt to navigate to a new page from my asp.net site using a button - this occurs no matter which page I am trying to get to.
I can't find the error using debugging - the execution never gets to the code controlling the button click.

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (dgOpsLog:_ctl3:_ctl0="...ble Where OnWebReq = 1 Order b...").

[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (dgOpsLog:_ctl3:_ctl0="...ble Where OnWebReq = 1 Order b...").]
   System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName)
   System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName)
   System.Web.HttpRequest.get_Form() +113
   System.Web.UI.Page.ProcessRequest(HttpContext context)
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +87

I don't understand where to look for the problem.

Thanks for any help.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

This occurs when you pass a potential sql injection string in web form controls or your URL to the new page. If you remove the values or parameters passed, it should work fine.
Also, you can disable validaterequest in your page header <%@ Page Language="VB" ValidateRequest="false"  %>

There seems to be some HTML TAGS in the form input or Request.QueryString that is failing validation. Albeit, bsdotnet solution would work, for security reasons, you should never disable request validation, given the amount of cross site scripting attacks on the Internet.

The best solution would be on Submit call, javascript escape() function on the values and submit the form.
OWASP Proactive Controls

Learn the most important control and control categories that every architect and developer should include in their projects.

Dear jberv534,
ASP.Net automatically validates textboxes and other controls, when they are posted back to the server, to check if they contain HTML or some scripts. This is so usefull and you should'nt disable it. Instead tell me more about the controls and functionality you have in the current page. (Not other target pages) We will find which control is sending html content to the server and server is preventing it.
Good luck

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jberv534Author Commented:
I'm afraid I am too inexperienced to make sense of deepaknet's comment. I changed the validation on the page creating the exception when a button is clicked and that works, but I agree, I don't like the approach. I am confused about the validation process - the reference to OnWebReqs doesn't make any sense in that context. Where do I look for the html tags?
Hi again,
What is the functionality of your page? What controls do you have on your page? Do you have HTML Text Area, or do you have a third party control for rich text editing (Like Yahoo Mail Compose Email page)?
We will find it!
Good luck
jberv534Author Commented:
On the page that causes the error there are nav buttons, a datagrid, dropdowns, some text boxes. Nothing is entered on the page - it reports logins, errors and data transfer activity. The only thing that can be done is the deletion of grid items. There is also a control to allow the user to select date ranges. Something happens between when any of the nav buttons (all are going to other pages in the site) are clicked and when the routine that controls the click is executed - that's where I am blinded.

Thanks, again.
You should inspect the textboxes. It is more likely that one of these are submitting html tag like strings. It need not be a valid HTML also. It just checks the tag like syntax to prevent cross-site scripting attack.

For textboxes, try calling escape() on those values from JavaScript and serverside, Server.URLDecode() should do the trick back.
Dear jberv534 ,
I suggest you to start a new page, and put your controls step by step. Each item you add, check if the problem is caused or not. By this iteration, you will find which control is causing the problem.
Good luck
jberv534Author Commented:
Thanks, I'll let you know what I find.
jberv534Author Commented:
TheMehrdad - I have been working with the datagrid on the page in question and by clearing all of the records, the exception is avoided. There is a text field in the grid that has exception and other messages created during site operations, but I was not aware of anything specificially related to the OnWebReq. Anyway, can you tell me how I can trap that textbox? It also turns-out that any control used was creating the exception. Can you tell me how I can isolate that text? I will be monitoring the site to see when the exception occurs. Thanks for all of your help.
Dear jberv534,
I didn't get that: "Do you know which exact Textbox is causing the problem?" or you just know one of your textboxes is causing the exception.
If you know the exact textbox, tell me what kind of data is shown in this textbox, if you don't know which textbox is, first clear all columns, then add them step by step to find that textbox.

When we know which textbox (Column of textboxes) is causing the problem, we will check the data in them. and then we will find a way for encoding the data to avoid the problem.

Good luck
jberv534Author Commented:
Dear TheMehrdad - the field in question is a text box in a datagrid that is used to display log messages: logins, transfer notes, errors. I cleared the data table and have had no further occurances of the exception. I am tracking the table to see if it re-occurs. In the meantime, I will close this thread and take care of the points. Thanks for your help, really.
Dear jberv534 ,
You are welcome. You may ask any more question if you have to solve the problem. Just put your question here. I think there are some HTML or SQL keywords in your log information. I hope you find and solve them.
Good luck
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.