• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 398
  • Last Modified:

How should I properly use an HTML Editor on my webpage?

I have forms on my webpages where the user can enter free form data and and I want to provide an editor for formatting hte information onthose forms.  The information is stored in a database and is pulled to be displayed on other pages on the site.  I found an open source editor, Xinha, that  was easy to install and use but now Ihave a problem when I submit my form to the server.

I am using ASP.Net 4.0.  When I submit my form I am getting the error shown below.  My question is what is the best way to resolve this and still protect my site from someone trying to inject harmful code on my site?  Any help  is greatly appreciated!

==================================

A potentially dangerous Request.Form value was detected from the client (ctl00$MainContent$MessageTextArea="<p>This is a <strong...").
Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. To allow pages to override application request validation settings, set the requestValidationMode attribute in the httpRuntime configuration section to requestValidationMode="2.0". Example: <httpRuntime requestValidationMode="2.0" />. After setting this value, you can then disable request validation by setting validateRequest="false" in the Page directive or in the <pages> configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. For more information, see http://go.microsoft.com/fwlink/?LinkId=153133.

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (ctl00$MainContent$MessageTextArea="<p>This is a <strong...").

Source Error:


[No relevant source lines]
 

Source File: c:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\greens at penn oaks\8479f56a\22ddd3f2\App_Web_u5sbqkyk.0.cs    Line: 0

Stack Trace:


[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (ctl00$MainContent$MessageTextArea="<p>This is a <strong...").]
   System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +8860756
   System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, RequestValidationSource requestCollection) +122
   System.Web.HttpRequest.get_Form() +150
   System.Web.HttpRequest.get_HasForm() +9036751
   System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull) +97
   System.Web.UI.Page.DeterminePostBackMode() +69
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +8431
   System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +253
   System.Web.UI.Page.ProcessRequest() +78
   System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) +21
   System.Web.UI.Page.ProcessRequest(HttpContext context) +49
   ASP.emailhomeowners_aspx.ProcessRequest(HttpContext context) in c:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\greens at penn oaks\8479f56a\22ddd3f2\App_Web_u5sbqkyk.0.cs:0
   System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +100
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75

 


--------------------------------------------------------------------------------
Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.272
0
dyarosh
Asked:
dyarosh
  • 2
  • 2
1 Solution
 
madginoCommented:
You need to disable request validation, here are the details:
http://www.asp.net/whitepapers/request-validation
0
 
dyaroshAuthor Commented:
I understood the need to disable request validation.  Do you have any suggestions on how to validate what is entered to prevent malicious attacks?  The editor that I am using will only be on pages that are accessed using a user name and password to gain access.  So in theory only valid users of the site should be using the editor.  However, I would still like to prevent a hacker from potentially accessing the form and doing something malicious.  I could check for <script>, </script> tags and display an error if found.  Are there any others I should look for?
0
 
madginoCommented:
It doesn't worth the work, if a hacker is targeting this it will find a way to overcome your validation. Use whatever the editor is providing for validation and don't do any validation yourself.
Depending on the editor capabilities, you can discard the 'edit html code' option, this way the user can enter only text and use editor buttons, removing the possibility to write custom code like script, iframe etc.

In the end it's all about managing risk, if you have critical data on the site do not provide an html editor, if the data is less sensitive you can afford the risk of displaying html content from user.
0
 
dyaroshAuthor Commented:
Thanks
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now