I'm trying to allow a user to enter html text into a textBox (FreeTextBox) but am getting an error upon submitting:
A potentially dangerous Request.Form value was detected from the client (noteTextBox="<H2><FONT size=6>asd...").
Description:Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.
Exception Details:System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (noteTextBox="<H2><FONT size=6>asd...").
Anybody know how to deal with this while still allowing me to save the html?
<%@. Page...... ValidateRequest="false".....%>
I think the reason for this error was that someone could enter a <script> tag in your textbox with javascript code, and then if you grab that value from the form and display directly it on another page, the code in the <script> tag would be executed on your user's computer... this could be potentially bad. i usually turn the error off though, like the previous poster. If you HtmlEncode() anything that you display that ultimately came from the user, it should be ok to turn it off.
How do I HtmlEncode() this text?
dim myText as String = Server.HtmlEncode(yourTextbox.Text)
0 comments:
Post a Comment