When to clear textbox XML to avoid flagging as XSS.

Question

I have an ASP.NET application that will display a Dataset's XML in a textbox when a button is clicked.

Clicking the button again should rerun the request, but before this can happen I get an error saying 'A potentially dangerous Request.Form value was detected from the client (txtXML="<NewDataSet> ...)' Obviously, the angle brackets are being interpreted as a potential cross-site scripting attack.

I tried clearing the textbox text in the button click event handler and the Page_Load() method, but these seem to be too late.

Is there another event I can handle that will allow me to clear the text early enough in the request-handling process?

Answer 1

You can clear textbox in client side using javascript before sending unnecessary data back to server:

On button: <asp:Button OnClientClick="document.getElementById(...).value = '';" .... /> or something similar.

But this still looks like a hack. If you intent only to display the text, why aren't you using more appropriate control for that?

Answer 2

A potentially dangerous Request.Form value was detected from the client

Yeah, this is ASP.NET's utterly bogus attempt to mitigate cross-site-scripting vulnerabilities. You can turn it off by adding:

ValidateRequest="false"

to the @Page directive at the top of your template.

Naturally you should be sure you're properly HTML-escaping any incoming <& symbols before you spit them into a textarea, otherwise you'd be vulnerable to XSS attacks. But that's the case even with ValidateRequest turned on; it buys you only an obfuscation and illusion of security.

Shame on MS for turning this wrong-headed application-breaking feature on by default.

If you don't need the txtXML to be submitted with the next request, try moving it out of the form/removing the name attribute.