A potentially dangerous Request.Form value . . .

Last post 10-16-2009, 8:01 AM by muruganad. 5 replies.
Sort Posts: Previous Next
  •  06-16-2004, 12:07 PM 1036

    A potentially dangerous Request.Form value . . .

    I get the following error when I try to submit my form.  I really don't want to set validateRequest=false.  Any ideas around this?

     

    A potentially dangerous Request.Form value was detected from the client (txtComment="this ia<BR>a test").

    Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.

    Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (txtComment="this ia<BR>a test").

    Source Error:

    An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

    Stack Trace:

    [HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (txtComment="this ia<BR>a test").]
       System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName)
       System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName)
       System.Web.HttpRequest.get_Form() +113
       System.Web.UI.Page.GetCollectionBasedOnMethod()
       System.Web.UI.Page.DeterminePostBackMode()
       System.Web.UI.Page.ProcessRequestMain()
       System.Web.UI.Page.ProcessRequest()
       System.Web.UI.Page.ProcessRequest(HttpContext context)
       System.Web.CallHandlerExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute()
       System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
    


    Version Information: Microsoft .NET Framework Version:1.1.4322.573; ASP.NET Version:1.1.4322.573
  •  06-16-2004, 2:41 PM 1040 in reply to 1036

    Re: A potentially dangerous Request.Form value . . .


    The validateRequest feature should be disabled for pages that contain a CuteEditor control; this enables the user to enter HTML code into the database. This is safe, as the CuteEditor does its own protection to prevents HTML scripts attacks by correctly encoding all text by default.

     
     

    asp.net Chat http://cutesoft.net/ASP.NET+Chat/default.aspx
    Web Messenger: http://cutesoft.net/Web-Messenger/default.aspx
    asp.net wysiwyg editor: http://cutesoft.net/ASP.NET+WYSIWYG+Editor/default.aspx
    asp wysiwyg html editor: http://cutesoft.net/ASP
    asp.net Image Gallery: http://cutesoft.net/ASP.NET+Image+Gallery/default.aspx
    Live Support: http://cutesoft.net/live-support/default.aspx

  •  06-17-2004, 2:19 PM 1049 in reply to 1040

    Re: A potentially dangerous Request.Form value . . .

    I understand.  But what about the other controls on the form.  What is protecting those from "rogue" script?
  •  06-17-2004, 3:08 PM 1050 in reply to 1049

    Re: A potentially dangerous Request.Form value . . .

    To prevent some script-injection attacks , with request validation turned off, you need to HTML encode the content of other controls on the form.
     
    HTML encoding will automatically replace any ‘<’ or ‘>’ (together with several other symbols) with their corresponding HTML encoded representation. For example, ‘<’ is replaced by ‘<’ and ‘>’ is replaced by ‘>’.
     
    Browsers use these special codes to display the ‘<’ or ‘>’ in the browser.
     

    Content can be easily HTML-encoded on the server using the Server.HtmlEncode(string) API. Content can also be easily HTML-decoded, that is, reverted back to standard HTML using the Server.HtmlDecode(string) method.


    asp.net Chat http://cutesoft.net/ASP.NET+Chat/default.aspx
    Web Messenger: http://cutesoft.net/Web-Messenger/default.aspx
    asp.net wysiwyg editor: http://cutesoft.net/ASP.NET+WYSIWYG+Editor/default.aspx
    asp wysiwyg html editor: http://cutesoft.net/ASP
    asp.net Image Gallery: http://cutesoft.net/ASP.NET+Image+Gallery/default.aspx
    Live Support: http://cutesoft.net/live-support/default.aspx

  •  06-19-2009, 8:20 AM 53294 in reply to 1036

    Re: A potentially dangerous Request.Form value . . .

    hi,
     
    Before assigning any value to txtComment,it's value should be blank liks txtComment.Value="";
  •  10-16-2009, 8:01 AM 56445 in reply to 1036

    System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client

View as RSS news feed in XML