XSS Attack and HtmlEncode

Question

Using C# and VS 2010.
In an effort to do some final testing, I found that some areas need protecting. Using a simple script to test:

    <script>alert('123');</script>

Of course the page breaks with the popup message:

 JavaScript runtime error: Sys.WebForms.PageRequestManagerServerErrorException: 
 An unknown error occurred while processing the request on the server. 
 The status code returned from the server was: 500

In the page directive, it is set

 ValidateRequest="false"

And also using AntiXSSLibrary with a textbox set to encode:

   string test = Encoder.HtmlEncode(txtSomeTextBox.Text);

The above error occurs on a page with an updatepanel.
And testing on a page without an updatepanel, the error is:

 A potentially dangerous Request.Form value was detected from the client
(ctl00$ContentPlaceHolder1$txtTest="<script>alert('123')...").

EXACT same code on that page as well.
The information being input is stored in SQL Server and later viewed by a coworker.

Why is the page breaking?
Why is the HtmlEncode not working as expected?
Any input is appreciated.

possible duplicate of [A potentially dangerous Request.Form value was detected from the client](http://stackoverflow.com/questions/81991/a-potentially-dangerous-request-form-value-was-detected-from-the-client) — ElGavilan, Apr 30 '14 at 12:39

score 0 · Accepted Answer · answered Apr 30 '14 at 12:44

0

Thanks for the link!
I have searched everywhere for hours and with no luck.
Especially here.
And now I see it takes a simple adjustment to the web.config file.

 <httpRuntime requestValidationMode="2.0" />

Thanks!!!!!

answered Apr 30 '14 at 12:44

Zath

547
2
10
25

XSS Attack and HtmlEncode

1 Answers1