0

I am working on an ASP.NET WebForms app. The client creates an XML string through an excel macro. He/she wants to copy-paste this XML into the application in a multiline textbox. On the click of a button, the XML needs to be parsed and inserted into a word template. I haven't worked with XML before and I'm not really sure if this can be done. Forget about the redundancy of doing this. This is a business request. I suggested having the XML into a file and using a file upload control, I could load the XML and insert it into word.

Initially I tried:

aspx

<asp:TextBox ID="XMLTxt" runat="server" TextMode="MultiLine"></asp:TextBox>
<asp:Xml ID="XMLComp" runat="server" ></asp:Xml><br />
<asp:Button ID="XMLBtn" runat="server" Text="Parse XML" OnClick="XMLBtn_Click"/>

In the code behind I haven't added anything in the XMLBtn_Click method. I was thinking that, when I copy the xml in the textbox and click on the button, since I don't have anything in the method, it shouldn't do anything.

However I'm getting this error:

A potentially dangerous Request.Form value was detected from the client
(LoginView1$XMLTxt="<?xml version="1.0" ...").

So I'm inclined to believe that it's not doable like this and I need to do it differently.

What I want is that when I click on the button, all the XML to go into a string which I can append to my word document and hopefully, that data will be displayed alright in the word document. But I'm pretty sure it's a long stretch and I'm missing some information.

halfer
  • 19,824
  • 17
  • 99
  • 186
Cosmos24Magic
  • 219
  • 4
  • 17
  • You are dealing with html which has special characters (see : https://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references). So it looks like you need to encode the string data using : Net.System.Net.WebUtility.HtmlEncode(string) and then decode using : System.Net.WebUtility.HtmlDecode(string) – jdweng Jan 10 '18 at 09:45
  • I don't understand when should I encode and decode. The client pastes the xml data in the textbox and pushes a button. The button will export a word document which has been populated with data. Should the string be encoded even before pasting it in the textbox ? The second that I push a button after pasting the xml, I get the error. – Cosmos24Magic Jan 10 '18 at 11:57
  • Yes. The data should be put into the body of an html message. I think the encoding only is needed when putting into the word document. The text box can handle the < and > – jdweng Jan 10 '18 at 12:46
  • I don't really know how to do the encoding. So when I click on XMLBtn, I take the XMLTxt and load it in XMLComp. Can you please show me how to encode it ? Thanks! – Cosmos24Magic Jan 11 '18 at 11:06
  • string XMLTxtEncoded = Net.System.Net.WebUtility.HtmlEncode(XMLTxt); – jdweng Jan 11 '18 at 13:22

1 Answers1

1

ASP.NET validates form data to prevent XSS injections. Since an XML document contains < and > symbols, it does not pass validation. See A potentially dangerous Request.Form value was detected from the client for details.

In general, I would not recommend you disable the validation even for a single page because it opens a large hole in your site security. I suggest you either encode the specific symbols before a form is submitted (e.g. on the onsubmit event). Then decode it on the client side and save into the document.

Alternatively, you can provide your end-users a capability to insert an XML directly into the document by themselves. For example, the third-party RichEdit control allows online editing.

Vladimir
  • 828
  • 6
  • 8
  • I have tried disabling the textbox validation, not the entire page. This works, but it's still a security risk. Question: what if the application is running on a vpn ? so it's not a public app, just a company inhouse app. Could this still be a risk ? – Cosmos24Magic Jan 10 '18 at 12:02
  • The risk always presents if there is an experienced hacker among your co-workers. Implement additional validation of this field content on the server side to make sure that it does not contain HTML tags such as – Vladimir Jan 11 '18 at 07:12