I have an .aspx page with a textbox on it, and whenever a users tries to submit some HTML type code it generates an unhandled exception error for it being "A potentially dangerous Request.Form value". I think it's doing this as an automatic safe guard against cross-site scripting, but what can I do to handle it so the user doesn't get the lovely red and yellow error page?
I tried putting the submit in a try...catch block, but it doesn't appear to be running the try...catch before it brings up the page. Can somebody please help with this?
Thanks,
Jeremy
6  1069 
One of the enhancements in 1.1 is the new "ValidateRequest" feature that
provides automatic detection and blocking of
suspicious looking data. This is a feature to prevent HTML injection and
other such attacks.
Here's more info: http://weblogs.asp.net/vga/archive/2003/05/02/6329.aspx http://www.asp.net/faq/RequestValidation.aspx http://groups.google.com/groups?q=%2...phx.gbl&rnum=1
--
I hope this helps,
Steve C. Orr, MCSD, MVP http://Steve.Orr.net
"Jeremy" <an*******@discussions.microsoft.com> wrote in message
news:3F**********************************@microsof t.com... I have an .aspx page with a textbox on it, and whenever a users tries to
submit some HTML type code it generates an unhandled exception error for it
being "A potentially dangerous Request.Form value". I think it's doing this
as an automatic safe guard against cross-site scripting, but what can I do
to handle it so the user doesn't get the lovely red and yellow error page?
I tried putting the submit in a try...catch block, but it doesn't appear
to be running the try...catch before it brings up the page. Can somebody
please help with this?
Thanks,
Jeremy
Hello Jeremy...see this reference in MSDN help http://msdn.microsoft.com/library/de.../cpconpage.asp
See the section about the ValidateRequest attribute
hth,
Chad McCune, MCSE, MCDBA
"Jeremy" <an*******@discussions.microsoft.com> wrote in message
news:3F**********************************@microsof t.com... I have an .aspx page with a textbox on it, and whenever a users tries to
submit some HTML type code it generates an unhandled exception error for it
being "A potentially dangerous Request.Form value". I think it's doing this
as an automatic safe guard against cross-site scripting, but what can I do
to handle it so the user doesn't get the lovely red and yellow error page?
I tried putting the submit in a try...catch block, but it doesn't appear
to be running the try...catch before it brings up the page. Can somebody
please help with this?
Thanks,
Jeremy
Thanks for your help, I didn't realize that it was a new "feature" of 1.1. I had heard the MS was going to automatically turn on security type features, but I wasn't sure exactly what they were going to do
My form is submitting data to a database and I'm using some validator controls to ensure some of the fields are dates, so do I need to Server.HtmlEncode my date fields when I submit? Also, should I HtmlDecode the fields I encode when I display the information in a label
Thanks for your help
Jeremy
Thanks for the reference Chad. It sure helps in understanding all this stuff
Jeremy
A couple short and simple tests should lead you to these answers yourself.
Just try it and see.
--
I hope this helps,
Steve C. Orr, MCSD, MVP http://Steve.Orr.net
"Jeremy" <an*******@discussions.microsoft.com> wrote in message
news:56**********************************@microsof t.com... Thanks for your help, I didn't realize that it was a new "feature" of 1.1.
I had heard the MS was going to automatically turn on security type
features, but I wasn't sure exactly what they were going to do.
My form is submitting data to a database and I'm using some validator
controls to ensure some of the fields are dates, so do I need to
Server.HtmlEncode my date fields when I submit? Also, should I HtmlDecode
the fields I encode when I display the information in a label?
Thanks for your help,
Jeremy
Yeah, I agree. After thinking about this I don't think this type of question could be given a straight forward answer. It's my application with its own set of requirements and what might work well for some situations won't work well for others. Plus it's hard to tell what other people really need in their application when you're giving out advice
Thanks for the hel
Jeremy
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Paul M. Frazier, Ph.D. |
last post by:
I am writing a user information update page and I populate the form on
Page_Load with the current values of the user's name, etc. When I
change the text in one of the textbox controls (e.g.,...
|
by: Jim in Arizona |
last post by:
I'm going insane! I don't know if it's just that the .net 2.0 framework is
buggy or if it really is my code.
This is pretty hard to explain since I can't even begin to nail down why
this is...
|
by: UJ |
last post by:
Is there a way with a asp:checkbox to run a JavaScript to display/hide
text/input on the screen without doing a postback?
I also need to be able to access the stuff at the server so I need to...
|
by: Duncan Dimech |
last post by:
Dear All
I am writing a tool which requires to have controls added to it dynamically.
To make the task more complex, the addition of the control cannot happen
anywhere but it has to be instead of...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
| |
