A potentially dangerous Request.Form value was detected from the client, encoding help please

Question

So I'm attempting to submit a string as a param over a Post in Js to an asp.net service and im having some difficulty. Before its stated, I do no have access to the server and can not touch the validation, I am strictly accessing from an external client. I get this response back

System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (message=&quot;...t;img src=&amp;#39;http://192.168.1...&quot;).
    at System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection)
    at System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, RequestValidationSource requestCollection)
    at System.Web.HttpRequest.get_Form()
    at System.Web.Services.Protocols.HtmlFormParameterReader.Read(HttpRequest request)
    at System.Web.Services.Protocols.HttpServerProtocol.ReadParameters()
    at System.Web.Services.Protocols.WebServiceHandler.CoreProcessRequest()

The message I'm sending is:

xcvxzcvzxcvxcvzxcv< br /><img src='http://192.168.1.1:82/UserUploads/Images/65968/20130122020024996.jpg' alt='User Image' />

Which I encode using :

htmlEncode: function(str) {
        str = str.replace(/&/g, '&amp;');
        str = str.replace(/'/g, '&#39;');
        str = str.replace(/"/g, "&quot;");
        str = str.replace(/</g, '&lt;');
        str = str.replace(/>/g, '&gt;');
        return str;
    },

which produces:

xcvxzcvzxcvxcvzxcv&lt; br /&gt;&lt;img src=&#39;http://192.168.1.1:82/UserUploads/Images/65968/20130122020802027.jpg&#39; alt=&#39;User Image&#39; /&gt;

I have run through several validators and checked my encoding and I cannot figure out what is causing the issue. My only guess is that the http:// is causing the problem as its shown in the javascript error, but im not sure. Any help or insight would be greatly appreciated.

It's the ' entity. Looks like any ..; encoding is flagged as dangerous in asp.net. — Ceres, Jan 22 '13 at 21:42
Bingo, that was it, swapped out the conversion for ' and it works perfectly — knightsbore, Jan 22 '13 at 21:53

score 0 · Accepted Answer · answered Jan 22 '13 at 22:47

The problem was the encoding for '. According to user409762, the combination of &# is flagged as dangerous in asp.net.

So now my encoding looks like this and works fine.

htmlEncode: function(str) {
    str = str.replace(/&/g, '&amp;');
    str = str.replace(/"/g, "&quot;");
    str = str.replace(/</g, '&lt;');
    str = str.replace(/>/g, '&gt;');
    return str;
},

score 0 · Answer 2 · edited May 23 '17 at 12:23

0

Using Jquery, you can perform the encode and decode like this link.

function htmlEncode(value) {
    return $('<div/>').text(value).html();
}

function htmlDecode(value) {
    return $('<div/>').html(value).text();
}

edited May 23 '17 at 12:23

Community

1
1

answered Nov 05 '15 at 17:35

Ricardo Fontana

4,583
1
21
32

A potentially dangerous Request.Form value was detected from the client, encoding help please

2 Answers2