473,394 Members | 1,481 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,394 software developers and data experts.

How do I handle possible (but undesired) HTML in input?

Hi

I have a number of pages where it is valid for the user to enter HTML.
On these pages, I have turned off RequestValidation ("ValidateRequest =
false" in the page directive) so that the HttpRequestValidationException
that gets thrown if HTML is included in the Form, doesn't get thrown.

This is fine.

However, on some of those pages, there are fields where I don't want
it to be possible for the user to enter HTML. There are also other
pages where I don't want the user to enter HTML, but I *don't* want
the exception to get thrown - I want to handle it nicely, preferably
with a nice validation message.

This exception gets thrown by System.Web.HttpRequest.ValidateInput,
and its message is "A potentially dangerous Request.Form value was
detected from the client [name of control][value causing problem]".
This method validates the querystring, form, and cookies. Thus, it
gets thrown well before execution starts on any of my own code -
before Page.OnInit, that is.

As far as I can see, there are a couple of ways I can proceed:
* I can turn off Request Validation, and Server.HtmlEncode all the
values in the Form that are not allowed to be HTML. This will
translate "<" to "&lt;" and so on - this is problematic because I use
fixed-length varchars in my database (it's a DB-driven site), and .NET
currently truncates them silently. So I someone typed "<b>Headline
for fantastic article</b>" in a field that allowed 40 characters, it
would get stored as "&<lt;b&gt;Headline for fantastic article" -
without the trailing "&lt;/b&gt;". I would have to change my text
length validation to validate the Encoded strings (which would mean
encoding them client-side, or doing without client-side validation),
or I would have to make all my DB fields four times as big as they
needed to be. Neither solution is very attractive to me.

* I can turn off Request Validation, and instead call the method that
throws it inside of a Custom Validator that returns invalid if it
catches the HttpRequestValidationException. I'm worried about how to
repopulate the fields after a postback if they potentiall contain HTML
- what would it do to my page layout? Also, this would only tell me
that there is HTML in the Form, not which field it's in - ideally
(since we're doing this *properly*! :) ), I want to be able to
return a validation-error for each field that contains HTML (where
it's not allowed). This is because once the method finds a Form
variable that has HTML, it throws the exception; so it'd only be able
to point at the first field that has HTML, not all of them. Unless
it's possible to validate individual Form variables with the method -
I don't know yet.

* I can turn off Request Validation, and write (or more likely find) a
Regular Expression to validate each text input for HTML (probably just
matched pairs of angle brackets with text inside, not a check against
a list of W3C tags), and add a client-side validator to all of my text
inputs. This strikes me as maybe the simplest, but relies on finding
such an Expression, and also that the multiple calls to it are not too
heavy. It also means that if the user has Javascript turned off, my
Form will have potential HTML in it, which it will write back to the
fields from their ViewState on PostBack. However, the error message
from the serverside Condition for the RegexValidator should still be
displayed in such a case - I'm just worried about what the page might
look like, past the field with the HTML in.

For reference, the site uses Javascript, and I'm in the happy position
of being able to make "turn Javascript on" a requirement of using it -
it's primarily for corporate intranet use, where the environment is
pretty controlled.

I'm not entirely certain how to proceed - does anyone have any
comments or suggestions? Thanks in advance.

Regards
Nick Gilbert
Software Developer, X-RM Ltd
PS I've bought and am using the excellent "Professional Validation and
More" package by Peter Blum - this is why some of the validation
controls I've named are not the same as the .NET basic ones.
Nov 18 '05 #1
2 2173
Hi Nick,

As for the validation problem on the input values of the web page, I think
this is just the cross-site scritping issue and in ASP.NET1.1 it provide
the "RequestValidation" attribute which can be set to auto validate the
comming request's Form, querystring, cookie collection. Also, there is a
certain tech article written by Scott Hanselman discussing on manually do
the RequestValidation (for ASP.NET1.0 since in 1.0 there is no buildin
Request Validation for this). No sure whether you've read it before, I
think it'll be helpful:

#Adding Cross-Site Scripting Protection to ASP.NET 1.0
http://msdn.microsoft.com/library/en...rotection.asp?
frame=true

In addition, as you mentioned that you want some for the input fields be
validted and some other not. If so, I'm afraid we have to manually do the
validation on those certain input fields in the page's codebehind events
(such as Page_Load, Init ...).

Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx
Nov 18 '05 #2
Hi Nick,

Have you had a chance to check out the suggestions in my last reply or have
you got any further ideas on this issue? If there're anything else we can
help, please feel free to post here. Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx

Nov 18 '05 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
by: Nancy | last post by:
Hi, Guys, I am new to Python. I am trying to following the example on http://www.modpython.org/live/current/doc-html/tut-pub.html In this example, it gives the following html code, <form...
3
by: NeverLift | last post by:
But, if it's not open, I don't want to open it . . . using window.open will open it if it doesn't exist, even if the url in that open is null (the window is then empty -- but it's open). The...
3
by: lee | last post by:
Hello I need some javascript code I've written to handle 2 values from an HTML form. I've been successful using the "label" attribute (I've simplied the example below): <input type="radio"...
6
by: Mark | last post by:
Hello, I'm trying to handle HttpRequestValidationException. If a hacker enters certain values into a textbox, like "<script>", it will trigger this error. I understand why .Net has this, but I...
15
by: Adam J. Schaff | last post by:
I have noticed that if a user closes a form via pressing return (either while the OK button has focus or if AcceptButton is set to OK for the form) then the "ENTER" keypress event fires ON THE...
39
by: tydbowl | last post by:
I have a problem where the below code chunk causes handle leaks on some machines. The leak APPEARS to be handles to the registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet...
5
by: mareeus | last post by:
Hi, Let's say we have the following html code (a body with some forms): <html> <head> </head> <body> <form name="form1" action="#">
2
by: supermarioandretti | last post by:
Hey guys, I have been working on a web page for my web desing class. Every thing is going well except for one thing. When ever I open fire fox, it shows undesired spaces in the text and tables. ...
1
by: webmasterATflymagnetic.com | last post by:
If you use Javascript you can set the FORM ACTION to call a function within the same file (or at least within a *.js file that was previously loaded into that file). Can you do something similar...
0
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
0
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
1
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
1
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
0
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
0
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
0
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
0
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
0
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.