ASP.Net - A potentially dangerous Request from submitting HTML data

Question

Hi,

I'm working on a web form which works in a following way.

1. Read email template from database
2. Display email template on a web form in HTML format
3. User adds additional information to the web form and clicks on submit button
4. Before I get to a method which will process that request, I get A potentially dangerous Request.Form

I have looked at few articles that advise using .Net 2.0 in one of the web.config sections - that didn't work. I have set requestValidation = "false" for that page and it didn't work either.

My gut feeling is that I'm doing something fundamentally wrong...

HTML template is stored as VarChar(4000) in a database.

I have tried encoding text in a method before I send an email, but that didn't work either because the web form never got to executing that method.

What other options do I have? I have tried storing plain text in database, but then I have issue of tabs and returns etc.

Thank you

Answer 1

The remedy is in two parts and you MUST action both:

To disable request validation on a page add the following directive to the existing "page" directive in the file (you will need to switch to the HTML view for this):

ValidateRequest="false"

for example if you already have:

<%@ Page Language="vb" AutoEventWireup="false" 
                Codebehind="MyForm.aspx.vb"
                Inherits="Proj.MyForm"%>

then this should become:

<%@ Page Language="vb" AutoEventWireup="false"
                Codebehind="MyForm.aspx.vb"
                Inherits="Proj.MyForm"
                ValidateRequest="false"%>

In later versions of Visual Studio the value of this property is available via the page properties, so simply set "ValidateRequest" to "False". Either method of setting this achieves the same result.

Alternately, you can globally turn request validation off (but in which case be sure to implement item two below). To globally turn request validation off add the following to your web.config file:

<pages validateRequest="false" />

From: http://www.cryer.co.uk/brian/mswinswdev/ms_vbnet_server_error_potentially_dangerous.htm

Answer 2

As a first security lesson, never trust user input,so if you setting request validation to false then always HTML encode the input. In basic either use: OnClientClick on submit and replace, < with & lt; and > with & gt; (no space with & and gt/lt)

or on submit method, use Server.HTMLEncode(inputtext)..or however you process it.