We have a multi-line textbox that users copy and paste email text into. The
pasted text frequently will contain a tag like <bl**@aol.com> or similar. I
believe .NET is protecting itself from code injection by throwing a global
error when this occurs. The exception message is pasted below.
We will NOT be able to train our users to eliminate all <> tags. What's the
best way to deal with this issue?
Thanks in advance.
Mark
EXCEPTION MESSAGE: A potentially dangerous Request.Form value was
detected from the client (txtNote="<bl**@aol.com> ").
8  1618 
Hi,
This is a security measure implemented in ASP.NET (1.1) to avoid
script-injections. If you want to turn this off, add validateRequest="false"
to the <@Page > directive on the page.
To disable for the whole app, have this in your web.config (inside
<configuration></configuration>):
<system.web>
<pages validateRequest="false" />
</system.web>
HTH.
"Mark" <mf****@idonotlikespam.cce.umn.edu> wrote in message
news:ub**************@TK2MSFTNGP09.phx.gbl...
We have a multi-line textbox that users copy and paste email text into. The
pasted text frequently will contain a tag like <bl**@aol.com> or similar. I
believe .NET is protecting itself from code injection by throwing a global
error when this occurs. The exception message is pasted below.
We will NOT be able to train our users to eliminate all <> tags. What's the
best way to deal with this issue?
Thanks in advance.
Mark
EXCEPTION MESSAGE: A potentially dangerous Request.Form value was
detected from the client (txtNote="<bl**@aol.com> ").
Great idea. However, does this render all Validation controls useless?
Like a Required Field Validator or similar?
Thanks again.
Mark
"Shiva" <sh******@online.excite.com> wrote in message
news:e3**************@TK2MSFTNGP12.phx.gbl... Hi,
This is a security measure implemented in ASP.NET (1.1) to avoid
script-injections. If you want to turn this off, add
validateRequest="false" to the <@Page > directive on the page.
To disable for the whole app, have this in your web.config (inside
<configuration></configuration>):
<system.web>
<pages validateRequest="false" />
</system.web>
HTH.
"Mark" <mf****@idonotlikespam.cce.umn.edu> wrote in message
news:ub**************@TK2MSFTNGP09.phx.gbl...
We have a multi-line textbox that users copy and paste email text into.
The pasted text frequently will contain a tag like <bl**@aol.com> or similar.
I believe .NET is protecting itself from code injection by throwing a global
error when this occurs. The exception message is pasted below.
We will NOT be able to train our users to eliminate all <> tags. What's
the best way to deal with this issue?
Thanks in advance.
Mark
EXCEPTION MESSAGE: A potentially dangerous Request.Form value was
detected from the client (txtNote="<bl**@aol.com> ").
Nope just allows any tags to be input on forms without erroring
Doesnt stop any of the other validators
"Mark" <mf****@idonotlikespam.cce.umn.edu> wrote in message
news:OU**************@TK2MSFTNGP10.phx.gbl... Great idea. However, does this render all Validation controls useless?
Like a Required Field Validator or similar?
Thanks again.
Mark
"Shiva" <sh******@online.excite.com> wrote in message
news:e3**************@TK2MSFTNGP12.phx.gbl... Hi,
This is a security measure implemented in ASP.NET (1.1) to avoid
script-injections. If you want to turn this off, add validateRequest="false" to the <@Page > directive on the page.
To disable for the whole app, have this in your web.config (inside
<configuration></configuration>):
<system.web>
<pages validateRequest="false" />
</system.web>
HTH.
"Mark" <mf****@idonotlikespam.cce.umn.edu> wrote in message
news:ub**************@TK2MSFTNGP09.phx.gbl...
We have a multi-line textbox that users copy and paste email text into.
The pasted text frequently will contain a tag like <bl**@aol.com> or
similar. I believe .NET is protecting itself from code injection by throwing a
global error when this occurs. The exception message is pasted below.
We will NOT be able to train our users to eliminate all <> tags. What's
the best way to deal with this issue?
Thanks in advance.
Mark
EXCEPTION MESSAGE: A potentially dangerous Request.Form value was
detected from the client (txtNote="<bl**@aol.com> ").
Mark,
We recommend that you not do this unless you pair it with writing some code
of your own to validate the request. In most cases, you can easily leave
validateRequest enabled in these circumstances by simply HTML-encoding the
data you are entering into the Textbox control.
Jim Cheshire [MSFT]
MCP+I, MCSE, MCSD, MCDBA
Microsoft Developer Support ja******@online.microsoft.com
This post is provided "AS-IS" with no warranties and confers no rights.
-------------------- From: "Steve Flitcroft" <as*******@hotmail.com>
References: <ub**************@TK2MSFTNGP09.phx.gbl>
<e3**************@TK2MSFTNGP12.phx.gbl>
<OU**************@TK2MSFTNGP10.phx.gbl>Subject: Re: <> tags typed into a asp.net textbox
Date: Mon, 9 Aug 2004 16:59:41 +0100
Lines: 56
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
Message-ID: <Oe**************@TK2MSFTNGP09.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 62-249-220-208.no-dns-yet.enta.net 62.249.220.208
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP09.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:253142
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
Nope just allows any tags to be input on forms without erroring
Doesnt stop any of the other validators
"Mark" <mf****@idonotlikespam.cce.umn.edu> wrote in message
news:OU**************@TK2MSFTNGP10.phx.gbl... Great idea. However, does this render all Validation controls useless?
Like a Required Field Validator or similar?
Thanks again.
Mark
"Shiva" <sh******@online.excite.com> wrote in message
news:e3**************@TK2MSFTNGP12.phx.gbl... > Hi,
> This is a security measure implemented in ASP.NET (1.1) to avoid
> script-injections. If you want to turn this off, add
validateRequest="false" > to the <@Page > directive on the page.
>
> To disable for the whole app, have this in your web.config (inside
> <configuration></configuration>):
>
> <system.web>
> <pages validateRequest="false" />
> </system.web>
>
> HTH.
>
> "Mark" <mf****@idonotlikespam.cce.umn.edu> wrote in message
> news:ub**************@TK2MSFTNGP09.phx.gbl...
> We have a multi-line textbox that users copy and paste email text into.
The > pasted text frequently will contain a tag like <bl**@aol.com> orsimilar. I > believe .NET is protecting itself from code injection by throwing aglobal > error when this occurs. The exception message is pasted below.
>
> We will NOT be able to train our users to eliminate all <> tags.
What's the > best way to deal with this issue?
>
> Thanks in advance.
>
> Mark
>
> EXCEPTION MESSAGE: A potentially dangerous Request.Form value was
> detected from the client (txtNote="<bl**@aol.com> ").
>
>
>
Thanks Jim,
By "writing some code" I believe you're implying server side code. However,
I don't believe ANY of the server side code will even execute with the
validateRequest property set to "true". I believe the "HTML-encoding" would
also require server side code, which would similarly bomb. Correct? Am I
missing something here? (very likely)
Thanks again.
Mark
"Jim Cheshire [MSFT]" <ja******@online.microsoft.com> wrote in message
news:Oz**************@cpmsftngxa06.phx.gbl... Mark,
We recommend that you not do this unless you pair it with writing some
code of your own to validate the request. In most cases, you can easily leave
validateRequest enabled in these circumstances by simply HTML-encoding the
data you are entering into the Textbox control.
Jim Cheshire [MSFT]
MCP+I, MCSE, MCSD, MCDBA
Microsoft Developer Support
ja******@online.microsoft.com
This post is provided "AS-IS" with no warranties and confers no rights.
--------------------From: "Steve Flitcroft" <as*******@hotmail.com>
References: <ub**************@TK2MSFTNGP09.phx.gbl>
<e3**************@TK2MSFTNGP12.phx.gbl>
<OU**************@TK2MSFTNGP10.phx.gbl>Subject: Re: <> tags typed into a asp.net textbox
Date: Mon, 9 Aug 2004 16:59:41 +0100
Lines: 56
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
Message-ID: <Oe**************@TK2MSFTNGP09.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 62-249-220-208.no-dns-yet.enta.net 62.249.220.208
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP09.phx.gbl
Xref: cpmsftngxa06.phx.gbl
microsoft.public.dotnet.framework.aspnet:253142X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
Nope just allows any tags to be input on forms without erroring
Doesnt stop any of the other validators
"Mark" <mf****@idonotlikespam.cce.umn.edu> wrote in message
news:OU**************@TK2MSFTNGP10.phx.gbl... Great idea. However, does this render all Validation controls
useless? Like a Required Field Validator or similar?
Thanks again.
Mark
"Shiva" <sh******@online.excite.com> wrote in message
news:e3**************@TK2MSFTNGP12.phx.gbl...
> Hi,
> This is a security measure implemented in ASP.NET (1.1) to avoid
> script-injections. If you want to turn this off, add
validateRequest="false"
> to the <@Page > directive on the page.
>
> To disable for the whole app, have this in your web.config (inside
> <configuration></configuration>):
>
> <system.web>
> <pages validateRequest="false" />
> </system.web>
>
> HTH.
>
> "Mark" <mf****@idonotlikespam.cce.umn.edu> wrote in message
> news:ub**************@TK2MSFTNGP09.phx.gbl...
> We have a multi-line textbox that users copy and paste email text
into. The
> pasted text frequently will contain a tag like <bl**@aol.com> or
similar. I
> believe .NET is protecting itself from code injection by throwing a
global > error when this occurs. The exception message is pasted below.
>
> We will NOT be able to train our users to eliminate all <> tags.
What's the
> best way to deal with this issue?
>
> Thanks in advance.
>
> Mark
>
> EXCEPTION MESSAGE: A potentially dangerous Request.Form value was
> detected from the client (txtNote="<bl**@aol.com> ").
>
>
>
You can do
validateRequest="false" in the page directive.
Then in code-behind you can do something like
string myString = HttpUtility.HtmlEncode(MyTextBox.Text);
"Mark" wrote: Thanks Jim,
By "writing some code" I believe you're implying server side code. However,
I don't believe ANY of the server side code will even execute with the
validateRequest property set to "true". I believe the "HTML-encoding" would
also require server side code, which would similarly bomb. Correct? Am I
missing something here? (very likely)
Thanks again.
Mark
"Jim Cheshire [MSFT]" <ja******@online.microsoft.com> wrote in message
news:Oz**************@cpmsftngxa06.phx.gbl... Mark,
We recommend that you not do this unless you pair it with writing some
code of your own to validate the request. In most cases, you can easily leave
validateRequest enabled in these circumstances by simply HTML-encoding the
data you are entering into the Textbox control.
Jim Cheshire [MSFT]
MCP+I, MCSE, MCSD, MCDBA
Microsoft Developer Support
ja******@online.microsoft.com
This post is provided "AS-IS" with no warranties and confers no rights.
--------------------From: "Steve Flitcroft" <as*******@hotmail.com>
References: <ub**************@TK2MSFTNGP09.phx.gbl>
<e3**************@TK2MSFTNGP12.phx.gbl>
<OU**************@TK2MSFTNGP10.phx.gbl>Subject: Re: <> tags typed into a asp.net textbox
Date: Mon, 9 Aug 2004 16:59:41 +0100
Lines: 56
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
Message-ID: <Oe**************@TK2MSFTNGP09.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 62-249-220-208.no-dns-yet.enta.net 62.249.220.208
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP09.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:253142X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
Nope just allows any tags to be input on forms without erroring
Doesnt stop any of the other validators
"Mark" <mf****@idonotlikespam.cce.umn.edu> wrote in message
news:OU**************@TK2MSFTNGP10.phx.gbl...
> Great idea. However, does this render all Validation controls useless?> Like a Required Field Validator or similar?
>
> Thanks again.
>
> Mark
>
> "Shiva" <sh******@online.excite.com> wrote in message
> news:e3**************@TK2MSFTNGP12.phx.gbl...
> > Hi,
> > This is a security measure implemented in ASP.NET (1.1) to avoid
> > script-injections. If you want to turn this off, add
> validateRequest="false"
> > to the <@Page > directive on the page.
> >
> > To disable for the whole app, have this in your web.config (inside
> > <configuration></configuration>):
> >
> > <system.web>
> > <pages validateRequest="false" />
> > </system.web>
> >
> > HTH.
> >
> > "Mark" <mf****@idonotlikespam.cce.umn.edu> wrote in message
> > news:ub**************@TK2MSFTNGP09.phx.gbl...
> > We have a multi-line textbox that users copy and paste email text into.> The
> > pasted text frequently will contain a tag like <bl**@aol.com> or
similar.
> I
> > believe .NET is protecting itself from code injection by throwing a
global
> > error when this occurs. The exception message is pasted below.
> >
> > We will NOT be able to train our users to eliminate all <> tags.
What's> the
> > best way to deal with this issue?
> >
> > Thanks in advance.
> >
> > Mark
> >
> > EXCEPTION MESSAGE: A potentially dangerous Request.Form value was
> > detected from the client (txtNote="<bl**@aol.com> ").
> >
> >
> >
>
>
Hi Mark,
If you want to leave validateRequest set to true, you will encode the data
on the client. You can do that by using the escape function in JavaScript.
You will then need to use UrlDecode against the data on the server side.
Jim Cheshire [MSFT]
MCP+I, MCSE, MCSD, MCDBA
Microsoft Developer Support ja******@online.microsoft.com
This post is provided "AS-IS" with no warranties and confers no rights.
-------------------- From: "Mark" <mf****@idonotlikespam.cce.umn.edu>
References: <ub**************@TK2MSFTNGP09.phx.gbl>
<e3**************@TK2MSFTNGP12.phx.gbl>
<OU**************@TK2MSFTNGP10.phx.gbl>
<Oe**************@TK2MSFTNGP09.phx.gbl>
<Oz**************@cpmsftngxa06.phx.gbl>Subject: Re: <> tags typed into a asp.net textbox
Date: Mon, 9 Aug 2004 11:16:52 -0500
Lines: 112
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.3790.181
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.181
Message-ID: <u9**************@tk2msftngp13.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: x15-238.cce.umn.edu 134.84.15.238
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftn gp13.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:253149
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
Thanks Jim,
By "writing some code" I believe you're implying server side code.
However,I don't believe ANY of the server side code will even execute with the
validateRequest property set to "true". I believe the "HTML-encoding"
wouldalso require server side code, which would similarly bomb. Correct? Am I
missing something here? (very likely)
Thanks again.
Mark
"Jim Cheshire [MSFT]" <ja******@online.microsoft.com> wrote in message
news:Oz**************@cpmsftngxa06.phx.gbl... Mark,
We recommend that you not do this unless you pair it with writing some
code of your own to validate the request. In most cases, you can easily leave
validateRequest enabled in these circumstances by simply HTML-encoding
the data you are entering into the Textbox control.
Jim Cheshire [MSFT]
MCP+I, MCSE, MCSD, MCDBA
Microsoft Developer Support
ja******@online.microsoft.com
This post is provided "AS-IS" with no warranties and confers no rights.
-------------------- >From: "Steve Flitcroft" <as*******@hotmail.com>
>References: <ub**************@TK2MSFTNGP09.phx.gbl>
<e3**************@TK2MSFTNGP12.phx.gbl>
<OU**************@TK2MSFTNGP10.phx.gbl> >Subject: Re: <> tags typed into a asp.net textbox
>Date: Mon, 9 Aug 2004 16:59:41 +0100
>Lines: 56
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
>Message-ID: <Oe**************@TK2MSFTNGP09.phx.gbl>
>Newsgroups: microsoft.public.dotnet.framework.aspnet
>NNTP-Posting-Host: 62-249-220-208.no-dns-yet.enta.net 62.249.220.208
>Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP09.phx.gbl
>Xref: cpmsftngxa06.phx.gbl
microsoft.public.dotnet.framework.aspnet:253142 >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
>
>Nope just allows any tags to be input on forms without erroring
>Doesnt stop any of the other validators
>"Mark" <mf****@idonotlikespam.cce.umn.edu> wrote in message
>news:OU**************@TK2MSFTNGP10.phx.gbl...
>> Great idea. However, does this render all Validation controlsuseless? >> Like a Required Field Validator or similar?
>>
>> Thanks again.
>>
>> Mark
>>
>> "Shiva" <sh******@online.excite.com> wrote in message
>> news:e3**************@TK2MSFTNGP12.phx.gbl...
>> > Hi,
>> > This is a security measure implemented in ASP.NET (1.1) to avoid
>> > script-injections. If you want to turn this off, add
>> validateRequest="false"
>> > to the <@Page > directive on the page.
>> >
>> > To disable for the whole app, have this in your web.config (inside
>> > <configuration></configuration>):
>> >
>> > <system.web>
>> > <pages validateRequest="false" />
>> > </system.web>
>> >
>> > HTH.
>> >
>> > "Mark" <mf****@idonotlikespam.cce.umn.edu> wrote in message
>> > news:ub**************@TK2MSFTNGP09.phx.gbl...
>> > We have a multi-line textbox that users copy and paste email textinto. >> The
>> > pasted text frequently will contain a tag like <bl**@aol.com> or
>similar.
>> I
>> > believe .NET is protecting itself from code injection by throwing a
>global
>> > error when this occurs. The exception message is pasted below.
>> >
>> > We will NOT be able to train our users to eliminate all <> tags.
What's >> the
>> > best way to deal with this issue?
>> >
>> > Thanks in advance.
>> >
>> > Mark
>> >
>> > EXCEPTION MESSAGE: A potentially dangerous Request.Form value was
>> > detected from the client (txtNote="<bl**@aol.com> ").
>> >
>> >
>> >
>>
>>
>
>
>
On Mon, 9 Aug 2004 10:32:52 -0500, Mark wrote: We have a multi-line textbox that users copy and paste email text into. The
pasted text frequently will contain a tag like <bl**@aol.com> or similar. I
believe .NET is protecting itself from code injection by throwing a global
error when this occurs. The exception message is pasted below.
We will NOT be able to train our users to eliminate all <> tags. What's the
best way to deal with this issue?
Thanks in advance.
Mark
EXCEPTION MESSAGE: A potentially dangerous Request.Form value was
detected from the client (txtNote="<bl**@aol.com> ").
Request Validation is an ASP.NET feature, it could be turned off but
turning off is not recommended.
for a single page:
<%@ Page validateRequest="false" %>
for entire app:
<configuration>
<system.web>
<pages validateRequest="false" />
</system.web>
</configuration>
A good detailed description is at the official site: http://www.asp.net/faq/RequestValidation.aspx
- Oytun YILMAZ This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Eshrath |
last post by:
Hi,
What I am trying to do:
=======================
I need to form a table in html using the xsl but the table that is
formed is quite long and cannot be viewed in our application. So we
are...
|
by: Donald Firesmith |
last post by:
I am having trouble having Google Adsense code stored in XSL converted
properly into HTML. The <> unfortunately become < and > and then
no longer work.
XSL code is:
<script...
|
by: Rocky Moore |
last post by:
I have a web site called HintsAndTips.com. On this site people post tips
using a very simply webform with a multi line TextBox for inputing the tip
text. This text is encode to HTML so that no...
|
by: J.K. Bach |
last post by:
I have an ASP.NET project wherein module-level functions are declared
and implemented within the aspx page <%= %> tags.
This was working fine before, but now that I have recreated the project
to...
|
by: James |
last post by:
I would like to call a method of my code from within XSL but it does not seem
to like the presence of the '%' character inside the xsl.
Basicly the XSL loops through an XML writing url's into...
|
by: Swaine77 |
last post by:
:confused:
I've asked my professor about this one a couple of times in email and she gave me some tips but I still can't nail this one down. Our book only gives one example of using .innerHTML...
|
by: ajay2552 |
last post by:
Hi,
I have a query.
All html tags start with < and end with >. Suppose i want to display either '<' or '>' or say some text like '<Company>' in html how do i do it?
One method is to use <,...
|
by: Michael |
last post by:
Since the include function is called from within a PHP script, why
does the included file have to identify itself as a PHP again by
enclosing its code in <?php... <?>
One would assume that the...
| Checking for illegal characters in a textbox (eg. <,>,!,@,#,$,%,^,&,*,(,) )
by: uicouic |
last post by:
I have a textbox named "txtName" and a button (btnSave) on a webform.
After I have typed the illegal characters into the textbox and click "Save", I would like the webform to check for those...
|
by: Faith0G |
last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: aa123db |
last post by:
Variable and constants
Use var or let for variables and const fror constants.
Var foo ='bar';
Let foo ='bar';const baz ='bar';
Functions
function $name$ ($parameters$) {
}
...
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
| |
