I have a page with a button and a textbox, when a input "<string>" in the text box and then I press the button I got this error: A potentially dangerous Request.Form value was detected from the client (TextBox1=""<string>"").
+1
A:
You need to tell ASP not to validate the form values on the page:
<%@ Page ... ValidateRequest="false"%>
This gets rid of your error, but on the back end you need to protect yourself from malicious input. Replace all < and > characters with encoded values so that you do not open yourself up to a XSS attack.
Stargazer712
2010-08-26 22:55:19
+1
A:
Because you are passing the "<" and the ">", which could include possible malicious data. You need to turn off page validation by either:
Setting the page declaration:
<%@ Page Language="C#" ValidateRequest="false" %>
Or in the web.config:
<system.web>
<pages validateRequest="false" />
</system.web>
If you do this you need to sanitize the input stringently! You can do this by encoding your input on the server side:
Server.HtmlEncode(TextBox1.Text)
Dustin Laine
2010-08-26 22:55:38
I like this Server.HtmlEncode(TextBox1.Text), but if I use TextBox1.Text = Server.HtmlEncode("<uju>"); it shows <uju>. How to solve this?
Delta
2010-08-26 23:07:31
You then use `Server.HtmlDecode(string)` to get it back to the way you want.
Dustin Laine
2010-08-26 23:12:06
+1
A:
This is a security feature of ASP.NET, which prevents a user to submit potentially dangerous code like script blocks.
You can disable this by setting the validateRequest attribute of the Page directive to false
<%@ Page validateRequest="false" %>
or disable it in web.config:
<configuration>
<system.web>
<pages validateRequest="false" />
</system.web>
</configuration>
But be careful! As I said, this is a security feature!
You can read more about it here: http://www.asp.net/learn/whitepapers/request-validation
Dave
2010-08-26 22:56:16