1

I would like to know what rules are used to determine what is a potentially dangerous form value so that I can write client side validation to prevent it hitting the server. Ideally I would like to know how the framework determines what is a potentially dangerous combination of characters, so I could use the same rules in my custom validator to prevent them ever hitting the server.

bluntstone
  • 41
  • 2
  • 1
    Not exactly a rule but using *Prepared Statements* usually reduces the chance of having a client submit a set of *special* characters that could potentially jeopardize your database. – npinti Jun 26 '12 at 07:26
  • not just your database, not sure how – bluntstone Jun 26 '12 at 07:36
  • You could process the text you are being submitted and remove any special characters. – npinti Jun 26 '12 at 07:38
  • @bluntstone, ` – Furqan Hameedi Jun 26 '12 at 07:41
  • yeah i know that's what i was saying allowing script tags has nothing to with the db – bluntstone Jun 26 '12 at 07:45
  • exactly @npinti but what are those special characters, what does the framework use to determine what they are – bluntstone Jun 26 '12 at 07:46
  • I was essentially looking for this: [enter link description here][1] [1]: http://stackoverflow.com/questions/8744002/asp-net-potentially-dangerous-request-javascript-regex – bluntstone Jun 27 '12 at 01:10

2 Answers2

2

Reasons:

  1. This error is generally arised when a valid html is entered in text input. i.e. with opening and closing html tags <****>.

  2. It is also caused due to entering html entites like &nbsp; &amp; &lt; &gt; &quot; etc.

  3. In simple words You can say that if text-input contains some symbols like ">, &, <, ="; etc, it will be recognized as dangerous value.

For resolving You can use:

<system.web>
    <httpRuntime requestValidationMode="2.0" />
</system.web>

in your web.config to validate such inputs.

OR

You can htmlencode the input using:

String clean_value = Server.HtmlEncode(TextBox1.Text);

Following Articles may help you:

How To Catch HttpRequestValidationException

http://www.cryer.co.uk/brian/mswinswdev/ms_vbnet_server_error_potentially_dangerous.htm

A potentially dangerous Request.Form value was detected from the client

Hope this helps.

Community
  • 1
  • 1
talha2k
  • 24,937
  • 4
  • 62
  • 81
  • I actually don't want to do that, I know I can switch off the validation or switch it on I am more concerned about what is considered a potentially dangerous form value. I know the obvious ones like – bluntstone Jun 26 '12 at 07:33
  • @bluntstone Html entities mainly cause this error. See the updated answer. – talha2k Jun 26 '12 at 07:45
0

The validateRequest = false is generally not recommended. This is what I did:

On the server side, you can use this:

Create a hidden field in asp.net and encode it.

hiddenFieldMessage.Value = Uri.EscapeDataString(dangerousString);

Then in Javascript, create a text area and decode the encoded value.

<script>
    (function () {
        
        const content = document.getElementById('<%= hiddenFieldMessage.ClientID %>').value;
        // decode the content back to html
        var textArea = document.createElement("textarea");
        textArea.innerHTML = decodeURIComponent(document.getElementById('<%= hiddenFieldMessage.ClientID %>').value);
        const content = textArea.value;  // decoded value
   })

This way, there is no need to switch off the validation (which will make your webpage vulnerable to injection attacks)

Gauravsa
  • 6,330
  • 2
  • 21
  • 30