I'm wanting to allow users to enter HTML in only a single TextBox. I understand it's possible to change ValidateRequest in the page directive to false in order to remove protection.
I'm guessing that this allows HTML to be entered in any TextBox on the page. Is there anyway to apply ValidateRequest="false" on only a single control?
Thanks for any help.
No, the request validation is for the entire request or nothing.
The validation was added as a default to protect developers who are clueless about input validation. If you know that all input has to be treated as unsafe and know how to properly encode data that you use from the input to protect yourself from things like SQL injection and cross site scripting, you can turn the validation off.
Update: In .NET 4.5 the ValidateRequestMode property was added, which allows excluding controls from the page global validation.
New in .NET 4.5 : You can set ValidateRequestMode="Disabled" on a control. See MSDN.
Try turning ValidateRequest off and use this method for removing markup from each individual control/parameter:
public static string RemoveMarkUp(this string s) {
return Regex.Replace(s, @"<[a-zA-Z\/][^>]*>", string.Empty);
}
