2

I have a form that I have been getting submissions that have punctuation and special characters that trigger the potentially dangerous Request.Form value error. I have been trying use the httpUtility.htmlencode and Server.htmlencode method to sanitize textboxes and textareas.

All my tests do not fire because the built-in request validation of the 4.0 framework prevents the code-behind from executing to perform the sanitization. I have included the ValidateRequest in the page header but no matter what I set it too it still does the same thing.

This is the code I have so far.

Session("RequestID") = Server.HtmlEncode(txtRequestID.Value)
Session("FirstName") = Server.HtmlEncode(txtInstFirstName.Text)
Session("LastName") = Server.HtmlEncode(txtInstLastName.Text)
Session("CNumber") = Server.HtmlEncode(txtCNumber.Text)
Session("Email") = Server.HtmlEncode(txtInstEmail.Text)
Session("Phone") = Server.HtmlEncode(txtInstPhone.Text)
Session("Department") = ddlDept.SelectedValue
Session("Location") = ddlLocation.SelectedValue

That did not work so I tried this:

Session("FirstName") = QuoteString(Trim(txtInstFirstName.Text))
Dim sanFN As String = Session("FirstName")
Server.HtmlEncode(sanFN)

What can I do to make this work? According to all the websites I have visited it should work.

Thanks, Tyler

Unfortunately, the project was scrapped and we moved to a new architecture (ruby on rails).

Gumbo
  • 643,351
  • 109
  • 780
  • 844
Mctee155
  • 21
  • 1

2 Answers2

1

They have changed the way that request validation works in ASP.NET 4.0 so that the page directive to turn it off no longer works by default. You will have to make a change to your web.config so that it behaves as expected. See this similar question for a couple of ways you can do it.

You can read more details in this page on the ASP.NET site.

Community
  • 1
  • 1
patmortech
  • 10,139
  • 5
  • 38
  • 50
0

I think that you need to add the validateRequest="false", on this page, or on web.config (on page parameter) to make it global.

<%@ Page validateRequest="false" %>

More to read on this issue : http://www.asp.net/learn/whitepapers/request-validation

After you make the validateRequest to false, then there is not actual any big danger, but you need to handle any possible script attack on your code, using the htmlEncode when you render back the input text, or make any other validation on post back before let the input render on the page.

a note
Don't use session to move and save the input data on the page ! Its not a good practice.

Aristos
  • 66,005
  • 16
  • 114
  • 150
  • I have tried putting the validateRequest="false" in the page parameters but it still throws the response validation error. I didn't have this problem with the 3.5 framework. What would be so – Mctee155 Jan 08 '11 at 23:46
  • What would be some suggestions of passing form data to another page? The form does send data to a confirmation page for review using session strings. it's not elegant but it got the job done. – Mctee155 Jan 08 '11 at 23:53
  • @McTee155 Try add it to web.config – Aristos Jan 09 '11 at 01:58
  • This has been the biggest exercise in frustration ever! I added it to the web.config file and I even created a entirely new website to test a simple form and the same exact thing happens every time. I have tried this now on three different servers with the same result. It at least submits when I set the target framework to 3.5. – Mctee155 Jan 09 '11 at 05:04
  • @Mectee155 you do something wrong or I did not understand the problem. What exactly is the error message ? Do you see the error screen of asp.net on submit ? if not when do you see the error ? – Aristos Jan 09 '11 at 09:54