views:

31

answers:

1

I have a form with a textarea (tinymce) for input content. When I perform an ajax request, I got the error:

A potentially dangerous Request.Form value was detected from the client

Then I've tried something like

html.encodeURIComponent() or escape() but the error is still here

HTML:

<form id="editForm" action="" method="post">
  <input type="text" id="title" name="title" />
  <textarea id="content" name="content"></textarea>
  <input type="button" id="submit" onclick="Submit();" />
</form>

Script (I use jQuery)

function Submit(){
 $.ajax({                
  url: 'ajax.aspx?type=addcontent&' + $('#editForm').serialize() + '&rnd=' + Math.random(),
  success: function(data) {
   alert('OK');
  }
 });
}

As soon as I press the submit button, the error appears. No ajax request is made. I've tried add ValidateRequest="false" to the aspx page but the problem is still here.

Any help is appreciated!

A: 
$.post('/foo', { htmlContent: '<someHtml/>' }, function(result) {
    alert('ok');
});

Now the error comes from the server side script which doesn't accept HTML. The ASP.NET engine will automatically drop any requests containing HTML. There are different ways of disabling this behavior at your own risk. One of it consists of adding the ValidateRequest="false" to the aspx @Page header.

<%@ Page Language="C#" AutoEventWireup="false" ValidateRequest="false" %>

If it is an ASP.NET MVC application you could decorate the controller action to which you are posting with the [ValidateInput(false)] attribute:

[HttpPost]
[ValidateInput(false)]
public ActionResult Foo()
{
    ...    
}

It is also important to note that if you are running .NET 4.0 you will need to add the following to your web.config:

<httpRuntime requestValidationMode="2.0" />
Darin Dimitrov
I guess that too so I've tried to encode the html content but still find nothing ~.~
NVA
You don't need to encode anything. If you use the `data` hash to send parameters jQuery will take care of encoding.
Darin Dimitrov
Could you please give me an example or a link to the tut? Thanks a lot!
NVA
What tutorial? Did you try what I suggested?
Darin Dimitrov
I add 'data: hash' to the ajax request but nothing changes.
NVA
And on the server side did you disable input validation? If yes, how and what exactly did you do? What version of the framework you are using?
Darin Dimitrov
To which aspx page did you add the `ValidateRequest="false"` attribute? It should be the one you are sending the AJAX request to (`ajax.aspx`) and not the one containing the `textarea`.
Darin Dimitrov