0

When I put in a string like abc<def>ghi in my text box, when I reach the code behind, the textbox.Text has become abcghi, so <def> got removed.

There are no Attributes on the textbox.

Does anyone know if this is default behavior, or if this is a .net setting in my config?

I have never seen this before.

<asp:TextBox ID="_user" runat="server" MaxLength="100" Width="150px"></asp:TextBox>

foreach (char c in _user.Text.ToCharArray())
    if (invalidChars.Contains(c))
        return false;
Puzzle84
  • 540
  • 3
  • 20
  • You should not be seeing that behavior. Can you show us all relevant code (setting/getting/using the `Text` property)? Is there anything affecting the element client-side? Can you show us the markup for your textbox? – Cᴏʀʏ Jun 26 '14 at 21:53
  • I updated the first post. – Puzzle84 Jun 26 '14 at 22:01
  • Do you have more than just a snippet? The whole code-behind (less anything irrelevant) would be ideal... – Cᴏʀʏ Jun 26 '14 at 22:03
  • I do not want to put company code on the web. This is really all i am doing. there are no modifiers in the code or the front end regarding this text box. that's why i am wondering if there is a config setting somewhere. i inherited this code and am starting to figure things out. – Puzzle84 Jun 26 '14 at 22:06
  • Related: http://stackoverflow.com/questions/81991/a-potentially-dangerous-request-form-value-was-detected-from-the-client – Cᴏʀʏ Jun 26 '14 at 22:10

1 Answers1

0

Did you try Server.HtmlEncode(TextBox1.text). More details about HtmlEncode is avilable here

When you want to display the input back to the user you can do

Server.HtmlDecode(inputvalue)

Updated.. Use ValidateRequest="false" in your page directive. This might come with some security implication but you'll actually get the textbox value in code behind even if it contains HTML characters.

<%@ Page Language="C#" ValidateRequest="false" ...

You can access the actual value like

 protected void btnSubmit_Click(object sender, EventArgs e)
 {
     string value = TextBox1.Text;
 }
Dennis R
  • 3,195
  • 1
  • 19
  • 24
  • I debugged the value in the codebehind, the actual text field says it's gone. – Puzzle84 Jun 26 '14 at 21:57
  • what do you mean? do you get the value you want in the code behind or not? – Dennis R Jun 26 '14 at 22:01
  • If i debug and hit my breakpoint and i check. _user.Text it's not there. it says abcghi i don't see the < > in there – Puzzle84 Jun 26 '14 at 22:02
  • so you want `abcghi` in your code behind as the textbox value? – Dennis R Jun 26 '14 at 22:03
  • Exactly, that's exactly what i would expect to see. – Puzzle84 Jun 26 '14 at 22:05
  • When you say "check", are you just hovering over the property, viewing it in the Quick Watch window, as a Watch variable, in the Immediate Expression box, etc.? – Cᴏʀʏ Jun 26 '14 at 22:06
  • Edited my answer, this should get you what you want – Dennis R Jun 26 '14 at 22:07
  • Watch variable. and hovering over. – Puzzle84 Jun 26 '14 at 22:07
  • @DennisR: There's an additional step if .NET 4+ (http://stackoverflow.com/a/17591548/74757). – Cᴏʀʏ Jun 26 '14 at 22:09
  • Thanks @Cory for the link. I'm using .NET 4.5 and I don't have any specific setting in my web.config as noted in the post but still works good with just `ValidateRequest="false"` at the page directive. But I do remember I had to set that flag in web.config for one of my earlier applications using .NET 4.0 – Dennis R Jun 26 '14 at 22:15
  • it seems we have ValidateRequest="false" in our web.config pages section. that would mean it would be used over all pages. – Puzzle84 Jun 26 '14 at 22:30
  • It should. I tried locally with `ValidateRequest="false"` set at the page level and it works perfectly (I get the actual value including HTML tags). if it doesn't work for you then it could be something else. – Dennis R Jun 26 '14 at 22:32