2

I have added a FreeTextBox control in my page, which allows users to insert HTML tag. Well, when I send to the server, I get the following error:

A potentially dangerous Request.Form value was detected from the client (GestisciPagine1_txtTestoPagina="...t homepage<br><br>").

Which option do I need to change to avoid this? I only want to change this control. Is it possible?

FishBasketGordo
  • 22,904
  • 4
  • 58
  • 91
markzzz
  • 47,390
  • 120
  • 299
  • 507
  • 1
    possible duplicate of [What's the best way to get round a 'Potentially Dangerous Request' error in asp.net?](http://stackoverflow.com/questions/1006469/whats-the-best-way-to-get-round-a-potentially-dangerous-request-error-in-asp) – jrummell Apr 03 '12 at 20:32
  • If you want to change control options, please see here. [http://stackoverflow.com/questions/10210673/what-is-the-meaning-of-a-potentially-dangerous-request-form-value-was-detected-f/10817548#10817548][1] [1]: http://stackoverflow.com/questions/10210673/what-is-the-meaning-of-a-potentially-dangerous-request-form-value-was-detected-f/10817548#10817548 – Boriss Pavlovs Jun 01 '12 at 20:37

1 Answers1

7

Which option I need to change to avoid this control ONLY to this control?

You can't do this per control. You need to do it at the page level or for the entire application:

<%@ Page Title="Home Page" Language="C#" ValidateRequest="false" %>
Darin Dimitrov
  • 1,023,142
  • 271
  • 3,287
  • 2,928
  • This means I need to escape/encode all data that I get from this page? Or .NET do it as well? – markzzz Apr 03 '12 at 20:32
  • 2
    @markzzz, you need to HTML encode it if you intend to display it back on the page. That's all. On the server you could store it in a SQL database as is without worrying about anything (assuming you are using parametrized queries of course, but since you should always use parametrized queries if you are doing any plain ADO.NET it shouldn't be any problem). – Darin Dimitrov Apr 03 '12 at 20:33
  • I use stored procedures, or LINQ to SQL :). But, on printing back to the page, .NET should also do an HTML encode automatically, right? – markzzz Apr 03 '12 at 21:40
  • So, why that control "ValidateRequest"? To prevent somethings that will be checked anyway? :O – markzzz Apr 04 '12 at 07:01
  • By default ASP.NET doesn't allow posting such characters. I think it's in order to warn the developer that he must perform certain additional steps (HTML encode) when displaying them back in the page. Imagine there was no exception. People that were unaware of the fact that they must HTML encode them wouldn't do it and get their sites XSSesed. On the other hand an exception is thrown => it makes developer afraid, they ask questions and get things clear. – Darin Dimitrov Apr 04 '12 at 08:41
  • "People that were unaware of the fact that they must HTML encode": no, because .NET do it anyway :) That's I don't understand hehe – markzzz Apr 04 '12 at 08:48
  • @markzzz, no, .NET doesn't HTML encode what you are outputting by default. Actually it depends how you are outputting it. If you simply write `<%= SomeValue %>` where `SomeValue` represents HTML, nothing will get encoded. – Darin Dimitrov Apr 04 '12 at 11:48
  • Yeah, in fact it does it only with Literal. I only use Literal, that's why I didn't understand :) Thank you – markzzz Apr 04 '12 at 12:41