How should I properly use an HTML Editor on my webpage?

Posted on 2012-08-22
Last Modified: 2012-08-23
I have forms on my webpages where the user can enter free form data and and I want to provide an editor for formatting hte information onthose forms.  The information is stored in a database and is pulled to be displayed on other pages on the site.  I found an open source editor, Xinha, that  was easy to install and use but now Ihave a problem when I submit my form to the server.

I am using ASP.Net 4.0.  When I submit my form I am getting the error shown below.  My question is what is the best way to resolve this and still protect my site from someone trying to inject harmful code on my site?  Any help  is greatly appreciated!


A potentially dangerous Request.Form value was detected from the client (ctl00$MainContent$MessageTextArea="<p>This is a <strong...").
Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. To allow pages to override application request validation settings, set the requestValidationMode attribute in the httpRuntime configuration section to requestValidationMode="2.0". Example: <httpRuntime requestValidationMode="2.0" />. After setting this value, you can then disable request validation by setting validateRequest="false" in the Page directive or in the <pages> configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. For more information, see

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (ctl00$MainContent$MessageTextArea="<p>This is a <strong...").

Source Error:

[No relevant source lines]

Source File: c:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\greens at penn oaks\8479f56a\22ddd3f2\App_Web_u5sbqkyk.0.cs    Line: 0

Stack Trace:

[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (ctl00$MainContent$MessageTextArea="<p>This is a <strong...").]
   System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +8860756
   System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, RequestValidationSource requestCollection) +122
   System.Web.HttpRequest.get_Form() +150
   System.Web.HttpRequest.get_HasForm() +9036751
   System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull) +97
   System.Web.UI.Page.DeterminePostBackMode() +69
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +8431
   System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +253
   System.Web.UI.Page.ProcessRequest() +78
   System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) +21
   System.Web.UI.Page.ProcessRequest(HttpContext context) +49
   ASP.emailhomeowners_aspx.ProcessRequest(HttpContext context) in c:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\greens at penn oaks\8479f56a\22ddd3f2\App_Web_u5sbqkyk.0.cs:0
   System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +100
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75


Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.272
Question by:dyarosh
    LVL 11

    Expert Comment

    You need to disable request validation, here are the details:

    Author Comment

    I understood the need to disable request validation.  Do you have any suggestions on how to validate what is entered to prevent malicious attacks?  The editor that I am using will only be on pages that are accessed using a user name and password to gain access.  So in theory only valid users of the site should be using the editor.  However, I would still like to prevent a hacker from potentially accessing the form and doing something malicious.  I could check for <script>, </script> tags and display an error if found.  Are there any others I should look for?
    LVL 11

    Accepted Solution

    It doesn't worth the work, if a hacker is targeting this it will find a way to overcome your validation. Use whatever the editor is providing for validation and don't do any validation yourself.
    Depending on the editor capabilities, you can discard the 'edit html code' option, this way the user can enter only text and use editor buttons, removing the possibility to write custom code like script, iframe etc.

    In the end it's all about managing risk, if you have critical data on the site do not provide an html editor, if the data is less sensitive you can afford the risk of displaying html content from user.

    Author Closing Comment


    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Join & Write a Comment

    Suggested Solutions

    Lots of people ask this question on how to extend the “MembershipProvider” to make use of custom authentication like using existing database or make use of some other way of authentication. Many blogs show you how to extend the membership provider c…
    In an ASP.NET application, I faced some technical problems. In this article, I list them out and show the solutions that I found.  I hope it will be useful. Problem: After closing a pop-up window, the parent page should be refreshed automaticall…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now