views:

114

answers:

3

I am trying to create a preview window for my texteditor in my blog page. I need to send the content to the server to clean up the text entered before I can preview it on the preview window. I was trying to use

$.ajax({
  type: method,
  url: url,
  data: values,
  success: LoadPageCallback(targetID),
  error: function(msg) {
    $('#' + targetID).attr('innerHTML', 'An error has occurred. Please try again.');
  }
});

Whenever I tried to click on the preview button it returns an XMLHTTPRequest error. The error description -

Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.

The ValidateRequest for the page is set to false.

Is there a way I can set validaterequest to false for the ajax call.Please advise

Thank you for reading my post.

I am using ASP.net. How can i do htmlencode using JAVAscript/jquery?

+1  A: 

If method is get, it's possible that your request is too large for it, and your request is mis-identified as an attack.

Can you try using post?

Pekka
I am using post. MY webserver is IIS 7.0.
dotnetrocks
@Pekka: I'm reasonably sure it's not a `get` vs `post` thing and more of a trying to submit unencoded html to an ASP.NET WebForm
R0MANARMY
@R0MAN yeah, the article you link to looks good. I'd post that as an answer.
Pekka
Thank you all for your answers. ROMANARMY and Pekka's post nailed it.
dotnetrocks
A: 

The ValidateRequest for the page is set to false.

How are you setting that? Evidently it hasn't taken for some reason. You can also try in in the configuration:

<pages validateRequest="false" /> 

(inside <system.web>.)

Setting validateRequest to false should stop this error appearing, and is in general the right thing to do anyway. ASP.NET's “request validation” is 100% bogus. It does not and cannot protect you properly from XSS attacks, but it will happily screw up your apps like this.

bobince
I wouldn't say "100% bogus" but maybe "not efficient for many tasks". Obviously it can't stop a determined attacker. To tell people to just turn it off all the time sounds like bad advice.
drachenstern
It sounds like bad advice but it isn't. All Request Validation is doing is hiding bugs that are very likely still exploitable, and giving you a false sense of security. That's not worth the breakage it brings with it. An ineffective security measure is worse than no security measure.
bobince
A: 

I need to send the content to the server to clean up the text entered before I can preview it on the preview window.

If you're using ASP.NET WebForms, there's a good chance you're running into this problem.

Request validation, a feature of ASP.NET since version 1.1, prevents the server from accepting content containing un-encoded HTML. This feature is designed to help prevent some script-injection attacks whereby client script code or HTML can be unknowingly submitted to a server, stored, and then presented to other users. We still strongly recommend that you validate all input data and HTML encode it when appropriate.

R0MANARMY