A potentially dangerous Request.Form value was detected from the client (txtText="
test<")

Question

I am using below snippet:

<body>
    <form id="form1" runat="server">
    <div>
        <input type="text" name="txtText" value=" " />
        <asp:TextBox ID="txtData" runat="server" />
        <asp:Button ID="btn" Text="Submit" OnClientClick="GetData()" runat="server" 
            onclick="btn_Click" />
    </div>
   <script>
       function GetData() {
           $('[id$=txtData]').val(escape($('input[name="txtText"]').val()))
           //$('input[name="txtText"]').val('')
       }
   </script>
    </form>
    </body>

When I input some data like "<h4>Test</h4>" it throws an exception, however, the code is working fine when the line //$('input[name="txtText"]').val('') is un-commented.

Can somebody please help me here and explain what is really happening here?

Are you using any kind of WYSIWYG plugin for `txtData`? Something that allows a user to write text but actually writes HTML to the underlying form control? — Tieson T., Jan 08 '14 at 05:26
Potential duplicate of http://stackoverflow.com/questions/81991/a-potentially-dangerous-request-form-value-was-detected-from-the-client?rq=1 — sh1rts, Jan 08 '14 at 05:36
The code is not giving out any errors when you add normal text. It is a specific scenario that you mentioned in your subject line where you tried to supply html code. — Shashank Chaturvedi, Jan 08 '14 at 05:36
Yes i am using WYSIWYG plugin for txtText and before submit i provide encoded data of txtText html input control to a hidden server control like txtData here — Vijay Sharma, Jan 09 '14 at 12:46

Zaheer Ahmed · Answer 1 · 2014-01-08T06:24:25.510

0

This is to protect you from XSS(cross site scripting) attack.

if you do not need it, you can disabled it by:

<%@ Page ValidateRequest="false" %>

or:

<configuration>
    <system.web>
        <pages validateRequest="false" />
    </system.web>
</configuration>

or to handle it manually, you need to encode html before submitting form:

void submitForm(Object sender, EventArgs e) {
  Response.Write(Server.HtmlEncode(textbox.Text)); 
}

and on submit button:

<asp:Button id="submitbutton" runat="server" onclick="submitForm" Text="Submit" />

edited Jan 08 '14 at 06:24

answered Jan 08 '14 at 05:53

Zaheer Ahmed

28,160
11
74
110

1

Can you shed some light on onclick event? Is it client side or server side? ClientSide you wouldn't have those methods, and on server side you wouldn't reach the event. – Kartheek N Jan 08 '14 at 06:03
@KartheekN give it a try! it is server sided event. – Zaheer Ahmed Jan 08 '14 at 06:30

A potentially dangerous Request.Form value was detected from the client (txtText=" test<")

test<")

1 Answers1

A potentially dangerous Request.Form value was detected from the client (txtText="
test<")