6

(ASP.NET 4.0 C#)

I have my <httpRuntime requestValidationMode="2.0" /> in the webconfig. And I have my validateRequest="false" in page directories.

On one page, I send some data (html) from a ckeditor (textarea) to a database. Works fine. On another page I fill the ckeditor with data from a database, then I update it (send it back), and I get the famous "A potentially dangerous Request.Form value was detected from the client."

Makes me very confused. The only difference is that on the second page the data gets dynamically inserted into the textarea, where on the first page the textarea is empty on pageload. Am i missing something here? Im pretty sure Encoding/decoding doesnt mean anything, as the framework stops it before I can even start messing with it on the backend.

Michael Easter
  • 23,733
  • 7
  • 76
  • 107
Kasper Skov
  • 1,954
  • 10
  • 32
  • 53

3 Answers3

1

Okay I havent found an answer to why it behaving the way it is. But, I found a very easy and quick way around it (+ new benefits).

Theres a guy who made a .net ckeditor control

http://cksource.com/forums/viewtopic.php?f=11&t=15882

There ya go. Works like a charm. No validation errors what so ever.

Kasper Skov
  • 1,954
  • 10
  • 32
  • 53
0

Try setting ValidateRequest to false in the page directive? A better option might be to use the Microsoft Anti-Cross Site Scripting Library:

http://msdn.microsoft.com/en-us/library/aa973813.aspx

A similar question was answered here:

What's the difference between requestValidationMode 2.0 and 4.0

It's also possible that either ASP.NET 4.0 is not installed or that the application pool is not set to run under 4.0.

Community
  • 1
  • 1
IrishChieftain
  • 15,108
  • 7
  • 50
  • 91
0

ValidationRequest="false" only applied to .aspx files in prior versions of the framework.

In ASP.NET 4 it is enabled for all requests before the BeginRequest phase of any HTTP request. So request validation applies to requests for all ASP.NET resources such as web service calls and custom HTTP handlers.

To bypass this new mechanism one must create their own RequestValidator and change the web.config to use this custom validator.

http://msdn.microsoft.com/en-us/library/system.web.util.requestvalidator.aspx

David Elyk
  • 49
  • 2
  • Aha. Interesting. I'll look into it. Btw. a little update on the problem. Apperently the framework doesnt stop my data from being put into my database, it just shows the error :S – Kasper Skov Apr 07 '11 at 17:53
  • Okay David, i've read it. Good stuff. But arent you saying the complete opposite of what msdn is saying? To me its sounds like (after reading your link) I dont have to worry about validation errors. My only concern is if I WANT to validate something specific. But arent you saying that it will always validate - no matter what? – Kasper Skov Apr 07 '11 at 18:24
  • Anyways, really dont wanna waste anymore tears on it. I guess I'll just make my own requestValidator as you said. Theres a good example on msdn. Thanks for your time mate. – Kasper Skov Apr 07 '11 at 18:34
  • Okay. I had nightmares all night about this issue. Do you have any explanation why this is happening David?. Its so wierd that the framework ignores the "dangerous" tags when the ckeditor is empty to begin with, but comes with an error when theres data in the editor to begin with. The code is identical. – Kasper Skov Apr 08 '11 at 17:11
  • 1
    Sorry, this is just not true. You don't need to implement your own request validator if you don't want any validation, if you're using `requestValidationMode="2.0"`. – configurator Apr 08 '11 at 23:45