0

I'd like to let my user add HTML to an entry in a SQL Server table using the CMS, but I keep getting the warning:

System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (ctl00$MainContent$TextBox2="<p>We...

What is the best way to allow HTML to be added to my CMS?

Many thanks

Dennis Traub
  • 50,557
  • 7
  • 93
  • 108
michaelmcgurk
  • 6,367
  • 23
  • 94
  • 190

2 Answers2

1

You can enable/disable request validation on a per control, per page, or on application level. See http://www.asp.net/learn/whitepapers/request-validation for more info.

Be aware that if you're using asp.net 4.0 you might have to set the requestValidationMode as well (see ValidateRequest="false" doesn't work in Asp.Net 4)

Community
  • 1
  • 1
Dennis Traub
  • 50,557
  • 7
  • 93
  • 108
  • Brilliant!!! Adding `validateRequest="false"` has resolved this issue. Many thanks for your speedy and helpful reply Dennis. – michaelmcgurk May 23 '11 at 14:16
0

ASP.NET automatically tests forms for input of potentially dangerous characters (pretty much anything HTML...). To get around this you can ValidateRequest="false" at either the page or app level (in web.config), but then you will need to manually clean the HTML yourself to ensure that no malicious code is injected. The best article on code cleaning I've seen is http://wonko.com/post/html-escaping .

Judo
  • 5,167
  • 3
  • 24
  • 34
  • Brilliant, Judo. I'll take a look into this. For now, I'm being "lazy" and using `validateRequest="false"` at page level for my CMS pages. – michaelmcgurk May 23 '11 at 14:16
  • Take a lot of care on this, users could hack the site directly... At a minimum use SQLparameters for receiving the input. – Judo May 23 '11 at 14:55