13

I have a textfield which displays a string which contains < and >. The code throws an error because of that. How can I allow the usage of those chars in my textfield?

Thanks :)

Brettski
  • 19,351
  • 15
  • 74
  • 97
grady
  • 12,281
  • 28
  • 71
  • 110

7 Answers7

22

Problem is that when this gets posted to server, it will not work, doesn't matter what you try. This is the ASP.NET XSS protection, which can be disabled like so:

<%@ Page ... ValidateRequest="false" %>

Trouble is, you'll have to be very careful validating all the postback yourself. Easier way is to escape all the contents of textbox using javascript just before posting. You can escape it using same HTML escaping, then unescape in server side code.

Update: Example of escaping. This will flash the changed text on screen before postback - ideal solution is to use a hidden field for this, i.e. assign value to a hidden field, instead of that same field. This is the simplest version:

<script>
  function EscapeField(){
    document.getElementById("your client control ID").value = 
       escape(document.getElementById("your client control ID").value);
  }
</script>

And in code-behind:

this.ClientScript.RegisterOnSubmitStatement(this.GetType(), 
    "EscapeField", "EscapeField();")

Update: Again, warning - if you save HTML in your database like this, and then just display it to the client, you are directly vulnerable to XSS attacks. There are worms out there that will find and exploit your web site. Make sure you cleanse the HTML you are getting.

gunr2171
  • 16,104
  • 25
  • 61
  • 88
Artemiy
  • 1,969
  • 14
  • 19
8

If you're in an asp.net page, you can wrap the whole of the output text in a Server.HtmlEncode("YourTextWith<and>Characters")

function and it will encode any dodgy characters for you.

If, for some reason, you're doing this in a .cs file, you can use System.Web.HttpUtility.HtmlEncode("YourTextWith<and>Characters")

before passing it to the presentation layer.

Andrew Carmichael
  • 3,086
  • 1
  • 22
  • 21
  • 1
    yes, it will convert them to < for example, but I want to see the < in the textfield, not < – grady Nov 10 '10 at 16:05
  • It should only do that if it's already doing the encoding - but then it shouldn't error in the first place. Do you have a code sample or URL you can add to your question? And the error you're getting, if possible. – Andrew Carmichael Nov 10 '10 at 16:14
4

Convert them to &lt; and &gt;. In Html, &lt; is converted to < and &gt; is converted to > without it thinking it's part of the markup. So the string <Blah> will be &lt;Blah&gt;.

Edit: I forgot, to automatically convert them and escape all HTML characters (so this isn't an issue for other things), in Asp.net you can use Server.HtmlEncode(string) to automatically convert all characters that could cause issues to their HTML equivalent.

KallDrexx
  • 27,229
  • 33
  • 143
  • 254
  • Yes, but I need to display it as > and <, not the html versions – grady Nov 10 '10 at 15:58
  • When it displays on the website it will display as < >. HTML character codes are used to display those characters at display time, without them being read incorrectly at render/compile time. – KallDrexx Nov 10 '10 at 16:00
4

The easiest solution is to disable request validation in single pages

<%@ Page ... ValidateRequest="false" %>

but don't forget to enable requestValidationMode="2.0" 

<system.web>
   ...
   <httpRuntime requestValidationMode="2.0" />
</system.web>

This solution could espose some threats.

Another smart solution is to replace via javascript text written by user to make it safe for validation: <tag> is considere dangerous, but < tag> is considered safe!

A javascript replacement can solve the problem.

function validateTxt() {
    $("textarea, input[type='text']").change(function () {
      html = $(this).val(); //get the value
      //.replace("a" , "b")  works only on first occurrence of "a"
      html = html.replace(/< /g, "<"); //before: if there's space after < remove
      html = html.replace(/</g, "< "); // add space after <
      $(this).val(html); //set new value
   });
}

$(document).ready(function () {
      validateTxt();
});
Emanuele Greco
  • 12,551
  • 7
  • 51
  • 70
0

your problem is,you cannot use html tags in .net controls. so set the ValidateRequest="false" in your aspx page and encode the text before you saving the text.

    //encode
    private string Encode(string text)
    {
        byte[] encodedText = System.Text.Encoding.UTF8.GetBytes(text);
        return System.Convert.ToBase64String(encodedText);
    }

when you retrieving your text make sure to decode the encoded text.

    // Decode:
    private string Decode(string encodedText)
    {
        byte[] decodedText = System.Convert.FromBase64String(encodedText);
        return System.Text.Encoding.UTF8.GetString(decodedText );
    }
user2837480
  • 349
  • 2
  • 18
0
<asp:TextBox ID="TextBox1" runat="server">&lt;</asp:TextBox>

I don't know if your question is related to this or if you are getting a validateRequest issue

Ta01
  • 31,040
  • 13
  • 70
  • 99
0

You can either use the TextBox.Text property which will HTML-encode whatever you enter

<asp:TextBox ID="TextBox1" runat="server" Text="<>"></asp:TextBox>

or you can enter the html names for < and >.

<asp:TextBox ID="TextBox1" runat="server">&lt;</asp:TextBox>

or you can enter the html codes

<asp:TextBox ID="TextBox1" runat="server">&#60;</asp:TextBox>

for the name and code conversions, check out this chart.

Yuriy Faktorovich
  • 67,283
  • 14
  • 105
  • 142