2

When I try to add a text like <p>example</p> to Product_Text cell of a product in Tbl_Product, I receive this message: A potentially dangerous Request.Form value was detected from the client.

Although I put <httpRuntime requestValidationMode="2.0" /> and <pages validateRequest="false" /> to <system.web> in web.config, I am continuing to receive the error message.

tereško
  • 58,060
  • 25
  • 98
  • 150
Arya
  • 91
  • 1
  • 11

2 Answers2

0

You need to use HtmlEncode when inserting html into the database. So something like:

var productText = Server.HtmlEncode("<p>example</p>");

in your code behind should work.

shaunteezie
  • 99
  • 2
  • this looks like a solution. – Arya Sep 14 '19 at 11:15
  • 1
    That error should have absolutely nothing to do with encoding the HTML when inserting into the database since that error happens on the form submit, NOT internally when saving to the DB. – Charles Boyung Jan 05 '22 at 21:22
0

You can also use this:

On the server side, you can use this:

Create a hidden field in asp.net and encode it.

hiddenFieldMessage.Value = Uri.EscapeDataString(dangerousString);

Then in Javascript, create a text area and decode the encoded value.

<script>
    (function () {
        
        const content = document.getElementById('<%= hiddenFieldMessage.ClientID %>').value;
        // decode the content back to html
        var textArea = document.createElement("textarea");
        textArea.innerHTML = decodeURIComponent(document.getElementById('<%= hiddenFieldMessage.ClientID %>').value);
        const content = textArea.value;  // decoded value
   })
Gauravsa
  • 6,330
  • 2
  • 21
  • 30