469,925 Members | 1,578 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,925 developers. It's quick & easy.

GridView Error : Dangerous value

Hi there,

I m doing work on a gridview and Im getting an error:
A potentially dangerous Request.Form value was detected from the client (ctl00$Content$GridView1$ctl03$TextBox1="<span class='txtColo...")

Im using an access database. and when ever I try to update this it doesnt work.
Expand|Select|Wrap|Line Numbers
  1. <%@ Page Language="C#" MasterPageFile="Mysite.master" Title="Untitled Page" %>
  2. <script runat = "server">
  3. protected void Page_Load(object sender, EventArgs e)
  4. {
  5. Label7.Visible = false;
  6. if (!IsPostBack)
  7. {
  8. this.DataBind();
  9. }
  10. }
  11. protected void GridView1_SelectedIndexChanged(object sender, EventArgs e)
  12. {
  13. }
  14.  
  15.  
  16. protected void Button1_Click1(object sender, EventArgs e)
  17. {
  18. Label7.Visible = false;
  19. GridView1.FooterRow.Visible = false;
  20. try
  21. {
  22. string page = ((DropDownList)GridView1.FooterRow.FindControl("DropDownList2")).SelectedItem.Value.ToString();
  23. string val = ((TextBox)GridView1.FooterRow.FindControl("ValueBox")).Text;
  24. string sBox = ((DropDownList)GridView1.FooterRow.FindControl("SectionBox")).Text;
  25.  
  26. if ((page != "Select") && (val != "") && (sBox != "Selet"))
  27. {
  28. int page1 = Convert.ToInt32(page);
  29. int sbox1 = Convert.ToInt32(sBox);
  30. DataSet2TableAdapters.Page_ContentTableAdapter pcAdap = new DataSet2TableAdapters.Page_ContentTableAdapter();
  31. pcAdap.Insert(page1, sbox1, val);
  32. DataBind();
  33. }
  34. else
  35. {
  36. GridView1.FooterRow.Visible = true;
  37. Label7.Visible = true;
  38. Label7.Text = "Error : Please select the specified fields and fill the value";
  39. }
  40. }
  41. catch (Exception e1)
  42. {
  43. Label7.Text = "Error : " + e1;
  44. }
  45. }
  46. protected void DropDownList1_SelectedIndexChanged(object sender, EventArgs e)
  47. {
  48. GridView1.FooterRow.Visible = true;
  49. try
  50. {
  51. string ID = ((DropDownList)GridView1.HeaderRow.FindControl("DropDownList1")).Text;
  52. int cID = Convert.ToInt32(ID);
  53. if (cID != 0)
  54. {
  55. DataSet2TableAdapters.PageTableAdapter pAdapt = new DataSet2TableAdapters.PageTableAdapter();
  56. //pAdapt.GetDataBydata(cID);
  57. ((DropDownList)GridView1.FooterRow.FindControl("DropDownList2")).DataSource = pAdapt.GetSelectedDataBy(cID);
  58. ((DropDownList)GridView1.FooterRow.FindControl("DropDownList2")).DataTextField = "Name";
  59. ((DropDownList)GridView1.FooterRow.FindControl("DropDownList2")).DataValueField = "ID";
  60. ((DropDownList)GridView1.FooterRow.FindControl("DropDownList2")).DataBind();
  61. DataSet2TableAdapters.Page_DetailTableAdapter pdAdapt = new DataSet2TableAdapters.Page_DetailTableAdapter();
  62. ((DropDownList)GridView1.FooterRow.FindControl("SectionBox")).DataSource = pdAdapt.GetDataByPageType(cID);
  63. ((DropDownList)GridView1.FooterRow.FindControl("SectionBox")).DataTextField = "Section Name";
  64. ((DropDownList)GridView1.FooterRow.FindControl("SectionBox")).DataValueField = "ID";
  65. ((DropDownList)GridView1.FooterRow.FindControl("SectionBox")).DataBind();
  66. }
  67. else
  68. {
  69. GridView1.FooterRow.Visible = false;
  70. }
  71. }
  72. catch (Exception e1)
  73. {
  74. GridView1.FooterRow.Visible = true;
  75. Label7.Visible = true;
  76. Label7.Text = "Error : " + e1;
  77. }
  78.  
  79. }
  80. protected void DropDownList2_SelectedIndexChanged(object sender, EventArgs e)
  81. {
  82. }
  83. protected void Button2_Click(object sender, EventArgs e)
  84. {
  85. GridView1.FooterRow.Visible = false;
  86. }
  87. protected void LinkButton1_Click(object sender, EventArgs e)
  88. {
  89. }
  90.  
  91. protected void DropDownList3_SelectedIndexChanged(object sender, EventArgs e)
  92. {
  93. }
  94. protected void GridView1_SelectedIndexChanged1(object sender, EventArgs e)
  95. {
  96. }
  97. </script>
  98. <asp:Content ID="Content2" ContentPlaceHolderID="Content" Runat="Server">
  99. <asp:GridView ID="GridView1" runat="server" AllowPaging="True" AllowSorting="True"
  100. AutoGenerateColumns="False" CellPadding="4" DataKeyNames="ID" DataSourceID="AccessDataSource1"
  101. ForeColor="#333333" GridLines="None" OnSelectedIndexChanged="GridView1_SelectedIndexChanged1">
  102. <FooterStyle BackColor="#507CD1" Font-Bold="True" ForeColor="White" />
  103. <Columns>
  104. <asp:TemplateField HeaderText="Page" SortExpression="Page">
  105. <EditItemTemplate>
  106. <asp:DropDownList ID="DropDownList3" runat="server" AppendDataBoundItems="True" DataSourceID="PageDataSource1"
  107. DataTextField="Page Name" DataValueField="Page" Font-Size="Smaller" OnSelectedIndexChanged="DropDownList3_SelectedIndexChanged"
  108. SelectedValue='<%# Bind("Page") %>'>
  109. <asp:ListItem Value="0">Select</asp:ListItem>
  110. </asp:DropDownList><asp:AccessDataSource ID="PageDataSource1" runat="server" DataFile="~/App_Data/database.mdb"
  111. SelectCommand="SELECT Page.ID AS Page, Page.Name AS [Page Name] FROM (Page INNER JOIN [Page Type] ON Page.[Page Type] = [Page Type].ID) ">
  112. </asp:AccessDataSource>
  113.  
  114. </EditItemTemplate>
  115. <HeaderTemplate>
  116. <asp:DropDownList ID="DropDownList1" runat="server" AppendDataBoundItems="True"
  117. AutoPostBack="True" DataSourceID="PageDataSource1" DataTextField="Page Type"
  118. DataValueField="ID" OnSelectedIndexChanged="DropDownList1_SelectedIndexChanged">
  119. <asp:ListItem Value="0">Select</asp:ListItem>
  120. </asp:DropDownList><br />
  121. <br />
  122. <asp:Label ID="Label6" runat="server" Text="Page"></asp:Label>
  123. <asp:Label ID="Label5" runat="server" Text="Page Type"></asp:Label>
  124. <asp:ObjectDataSource ID="PageDataSource1" runat="server" DeleteMethod="Delete" InsertMethod="Insert"
  125. OldValuesParameterFormatString="original_{0}" SelectMethod="GetData" TypeName="DataSet2TableAdapters.Page_TypeTableAdapter"
  126. UpdateMethod="Update">
  127. <DeleteParameters>
  128. <asp:Parameter Name="Original_ID" Type="Int32" />
  129. <asp:Parameter Name="Original_Page_Type" Type="String" />
  130. <asp:Parameter Name="Original_Description" Type="String" />
  131. <asp:Parameter Name="Original_Page_Path" Type="String" />
  132. <asp:Parameter Name="Original_Rank" Type="Int32" />
  133. <asp:Parameter Name="Original_Show_Menu" Type="Boolean" />
  134. <asp:Parameter Name="Original_Template" Type="Int32" />
  135. </DeleteParameters>
  136. <UpdateParameters>
  137. <asp:Parameter Name="Page_Type" Type="String" />
  138. <asp:Parameter Name="Description" Type="String" />
  139. <asp:Parameter Name="Page_Path" Type="String" />
  140. <asp:Parameter Name="Rank" Type="Int32" />
  141. <asp:Parameter Name="Show_Menu" Type="Boolean" />
  142. <asp:Parameter Name="Template" Type="Int32" />
  143. <asp:Parameter Name="Original_ID" Type="Int32" />
  144. <asp:Parameter Name="Original_Page_Type" Type="String" />
  145. <asp:Parameter Name="Original_Description" Type="String" />
  146. <asp:Parameter Name="Original_Page_Path" Type="String" />
  147. <asp:Parameter Name="Original_Rank" Type="Int32" />
  148. <asp:Parameter Name="Original_Show_Menu" Type="Boolean" />
  149. <asp:Parameter Name="Original_Template" Type="Int32" />
  150. </UpdateParameters>
  151. <InsertParameters>
  152. <asp:Parameter Name="Page_Type" Type="String" />
  153. <asp:Parameter Name="Description" Type="String" />
  154. <asp:Parameter Name="Page_Path" Type="String" />
  155. <asp:Parameter Name="Rank" Type="Int32" />
  156. <asp:Parameter Name="Show_Menu" Type="Boolean" />
  157. <asp:Parameter Name="Template" Type="Int32" />
  158. </InsertParameters>
  159. </asp:ObjectDataSource>
  160. </HeaderTemplate>
  161. <FooterTemplate>
  162.  
  163. <asp:DropDownList ID="DropDownList2" runat="server" AppendDataBoundItems="True" OnSelectedIndexChanged="DropDownList2_SelectedIndexChanged"
  164. Width="130px">
  165. <asp:ListItem Value="0">Select</asp:ListItem>
  166. </asp:DropDownList>
  167.  
  168. </FooterTemplate>
  169. <ItemTemplate>
  170. <asp:Label ID="Label1" runat="server" Text='<%# Bind("[Page Name]") %>'></asp:Label>
  171. </ItemTemplate>
  172. </asp:TemplateField>
  173. <asp:TemplateField HeaderText="Page Section" SortExpression="Page Section">
  174. <EditItemTemplate>
  175. <asp:DropDownList ID="DropDownList4" runat="server" DataSourceID="SectionDataSource2"
  176. DataTextField="Section Name" DataValueField="Section ID" SelectedValue='<%# Bind("[Page Section]") %>'
  177. Width="155px">
  178. </asp:DropDownList><asp:AccessDataSource ID="SectionDataSource2" runat="server" DataFile="~/App_Data/database.mdb"
  179. SelectCommand="SELECT DISTINCT [Page Detail].[Section Name], [Page Detail].ID AS [Section ID] FROM ([Page Content] INNER JOIN [Page Detail] ON [Page Content].[Page Section] = [Page Detail].ID)">
  180. </asp:AccessDataSource>
  181.  
  182. </EditItemTemplate>
  183. <FooterTemplate>
  184. <asp:DropDownList ID="SectionBox" runat="server" AppendDataBoundItems="True">
  185. <asp:ListItem Value="0">Select</asp:ListItem>
  186. </asp:DropDownList>
  187. </FooterTemplate>
  188. <ItemTemplate>
  189. <asp:Label ID="Label2" runat="server" Text='<%# Bind("[Section Name]") %>'></asp:Label>
  190. </ItemTemplate>
  191. </asp:TemplateField>
  192.  
  193.  
  194. <asp:TemplateField HeaderText="Value" SortExpression="Value">
  195.  
  196.  
Problem lies in this section..
Please do have a look
TextBox1 which is bind with a value
Expand|Select|Wrap|Line Numbers
  1. <EditItemTemplate> 
  2.  
  3.  
  4. <asp:TextBox ID="TextBox1" runat="server" Text='<%# Bind("Value") %>'
  5. TextMode="MultiLine"></asp:TextBox>
  6.  
  7.  
  8. </EditItemTemplate>
  9.  
  10. <FooterTemplate>
  11. <asp:TextBox ID="ValueBox" runat="server" TextMode="MultiLine"></asp:TextBox>
  12. </FooterTemplate>
  13.  
  14. <ItemTemplate>
  15. <asp:TextBox ID="TextBox4" runat="server" BorderColor="Transparent"
  16. BorderStyle="None" ForeColor="Transparent" MaxLength="256" ReadOnly="True"
  17. Rows = "2" Text='<%# Bind("Value", "{0}") %>' TextMode="MultiLine" AutoCompleteType="Notes" Enabled="False" EnableTheming="False"></asp:TextBox>
  18. </ItemTemplate>
  19.  
  20. </asp:TemplateField>
  21. <asp:TemplateField HeaderText="ID" InsertVisible="False" ShowHeader="False" SortExpression="ID"
  22. Visible="False">
  23. <EditItemTemplate>
  24. <asp:Label ID="EditLabel1" runat="server" Text='<%# Eval("ID") %>'></asp:Label>
  25. </EditItemTemplate>
  26. <ItemTemplate>
  27. <asp:Label ID="Label4" runat="server" Text='<%# Bind("ID") %>'></asp:Label>
  28. </ItemTemplate>
  29. </asp:TemplateField>
  30. <asp:TemplateField ShowHeader="False">
  31. <EditItemTemplate>
  32. <asp:LinkButton ID="LinkButton1" runat="server" CausesValidation="True" CommandName="Update"
  33. Text="Update"></asp:LinkButton>
  34. <asp:LinkButton ID="LinkButton2" runat="server" CausesValidation="False" CommandName="Cancel"
  35. Text="Cancel"></asp:LinkButton>
  36. </EditItemTemplate>
  37. <FooterTemplate>
  38. <asp:Button ID="Button1" runat="server" OnClick="Button1_Click1"
  39. Text="Insert" />
  40. <asp:Button ID="Button2" runat="server" OnClick="Button2_Click"
  41. Text="Cancel" Width="53px" />
  42. </FooterTemplate>
  43. <ItemTemplate>
  44. <asp:LinkButton ID="LinkButton1" runat="server" CausesValidation="False" CommandName="Edit"
  45. OnClick="LinkButton1_Click" Text="Edit"></asp:LinkButton>
  46. <asp:LinkButton ID="LinkButton2" runat="server" CausesValidation="False" CommandName="Delete"
  47. Text="Delete"></asp:LinkButton>
  48. </ItemTemplate>
  49. </asp:TemplateField>
  50. </Columns>
  51. <RowStyle BackColor="#EFF3FB" />
  52. <EditRowStyle BackColor="#2461BF" />
  53. <SelectedRowStyle BackColor="#D1DDF1" Font-Bold="True" ForeColor="#333333" />
  54. <PagerStyle BackColor="#2461BF" ForeColor="White" HorizontalAlign="Center" />
  55. <HeaderStyle BackColor="#507CD1" Font-Bold="True" ForeColor="White" />
  56. <AlternatingRowStyle BackColor="White" />
  57. </asp:GridView>
  58. <asp:Label ID="Label7" runat="server" Font-Bold="True" Font-Names="Courier New"
  59. Text="Label"></asp:Label>
  60.  
  61. <asp:AccessDataSource ID="AccessDataSource1" runat="server" DataFile="~/App_Data/database.mdb"
  62. DeleteCommand="DELETE FROM [Page Content] WHERE (ID = ?)" SelectCommand="SELECT PC.Page, PC.[Page Section], PC.[Value], PC.ID, P.Name AS [Page Name], PD.[Section Name] FROM (([Page Content] PC INNER JOIN Page P ON PC.Page = P.ID) INNER JOIN [Page Detail] PD ON PC.[Page Section] = PD.ID)"
  63. UpdateCommand="UPDATE [Page Content] SET Page = ?, [Page Section] = ?, [Value] = ? WHERE (ID = ?)">
  64. </asp:AccessDataSource>
  65. </asp:Content>
  66.  
Can any one help please :)

Thank you

Regards,
Ahmed
Jan 9 '09 #1
6 3926
liawcv
33
In the @Page directive, set its ValidateRequest property to false:
Expand|Select|Wrap|Line Numbers
  1. <%@ Page ... ValidateRequest="false" %>
  2.  
But be reminded that allowing user to post unaltered HTML content could create a security loophole to your page. If you are using this approach, you should encode the input string by using Server.HtmlEncode() method before further process, or disallow dangerous HTML tags such as <script>, etc.
Jan 9 '09 #2
Hi liawcv,

Thank you very much... I figured that out yesterday :) ... but Server.HtmlEncode() ...Can you provide me any examples? I mean where should I use this commandline?

Thank you

Regards,
Ahmed
Jan 10 '09 #3
liawcv
33
Let txtMessage contains "<span>This is the text</span>". Thus,

string s = Server.HtmlEncode(txtMessage.Text);

will cause variable s contains "&lt;span&gt;This is the text&lt;/span&gt;".

Normally we encode the input before it is being updated / inserted into database (or other data store).
Jan 11 '09 #4
So after using this command, how would the result look like in the GRIDVIEW? would be the same as the one before using "Server.HtmlEncode()" or the result wil be encoded?
Jan 11 '09 #5
liawcv
33
&lt; will be displayed as <
&gt; will be displayed as >
&lt;span&gt; will be displayed as <span>
Well, you get the pure text, not the HTML.

If you would like to get back the original input string, use Server.HtmlDecode(). Thus, &lf;script&gt; will be rendered as a real <script> tag in your page. Somehow, if you would like the input to be rendered as HTML, then it is not required to encode and then decode again.

If you want your <span> rendered as HTML rather than pure text, then encode (and decode) it will be pointless. Perhaps, you can filter your input string, so that only a particular HTML tags are accepted, such <span>, <b>, <i>, etc...
Jan 11 '09 #6
Thank you very much this is very helpfull...

Thankyou,

Regards,
Ahmed
Jan 11 '09 #7

Post your reply

Sign in to post your reply or Sign up for a free account.

Similar topics

reply views Thread by Martin Colmenares | last post: by
reply views Thread by ssims | last post: by
1 post views Thread by mitchman10 | last post: by
3 posts views Thread by Dariusz Tomon | last post: by
2 posts views Thread by Blasting Cap | last post: by
3 posts views Thread by =?Utf-8?B?V2FubmFiZQ==?= | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.