A potentially dangerous Request.Form value was detected from the client
when trying to save the read the value from a textarea which has the text ON=45 in it. It seems that the letters ON and = are causing a problem? If I put ON.=45 it is ok. Can someone explain to me how this is considered a potentially dangerous value?
I'm trying to explain to my users why this would be bad, but I'm at a loss to explain.
Also, turning off the Validation for the page is not an option.
As stated in my post, I cannot turn the Validation off. This is happening inside a user control, so I can't turn it off. And, I don't consider it an option to turn it off at the Web.config level. I would just like someone to explain to me what is wrong
with ON= as opposed to AL= or other combos of letters.
The .NET framework is throwing up an error because it detected something in the entered text which looks like an HTML statement. The text doesn't need to contain valid HTML, just anything with opening and closing angled brackets ("<...>").
The reason behind the error is as a security precaution. Developers need to be aware that users might try to inject HTML (or even a script) into a text box which may affect how the form is rendered. For further details see
www.asp.net/learn/whitepapers/request-validation/.
This checking was not performed in the .NET 1.0 framework and was introduced with the .NET 1.1 framework.
I cannot encode the value because it doesn't even make it to the server btn click event (I ran it in debug mode) before it crashes out. The problem lies in the the trasport of the textvalue back to the server for processing.
I cannot encode the value because it doesn't even make it to the server btn click event (I ran it in debug mode) before it crashes out. The problem lies in the the trasport of the textvalue back to the server for processing.
sc1977
Member
26 Points
12 Posts
A potentially dangerous Request.Form value was detected from the client
Mar 18, 2008 12:38 PM|LINK
I am getting the message:
A potentially dangerous Request.Form value was detected from the client
when trying to save the read the value from a textarea which has the text ON=45 in it. It seems that the letters ON and = are causing a problem? If I put ON.=45 it is ok. Can someone explain to me how this is considered a potentially dangerous value? I'm trying to explain to my users why this would be bad, but I'm at a loss to explain.
Also, turning off the Validation for the page is not an option.
dharnendra
Contributor
2955 Points
551 Posts
Re: A potentially dangerous Request.Form value was detected from the client
Mar 18, 2008 12:54 PM|LINK
Hi,
Put validateRequest="false" in your page directive or web.config file.
http://msdn2.microsoft.com/en-us/library/ms972967.aspx
Thanks
Technical Leader
GTL-Ahmedabad
sc1977
Member
26 Points
12 Posts
Re: A potentially dangerous Request.Form value was detected from the client
Mar 18, 2008 12:58 PM|LINK
As stated in my post, I cannot turn the Validation off. This is happening inside a user control, so I can't turn it off. And, I don't consider it an option to turn it off at the Web.config level. I would just like someone to explain to me what is wrong with ON= as opposed to AL= or other combos of letters.
naimulah
Member
52 Points
25 Posts
Re: A potentially dangerous Request.Form value was detected from the client
Mar 18, 2008 01:00 PM|LINK
try encoding the value. (html encode)
kaushalparik...
All-Star
26568 Points
3692 Posts
MVP
Re: A potentially dangerous Request.Form value was detected from the client
Mar 18, 2008 01:03 PM|LINK
The .NET framework is throwing up an error because it detected something in the entered text which looks like an HTML statement. The text doesn't need to contain valid HTML, just anything with opening and closing angled brackets ("<...>").
The reason behind the error is as a security precaution. Developers need to be aware that users might try to inject HTML (or even a script) into a text box which may affect how the form is rendered. For further details see www.asp.net/learn/whitepapers/request-validation/.
This checking was not performed in the .NET 1.0 framework and was introduced with the .NET 1.1 framework.
Referenced Link > Troubleshooting: A potentially dangerous Request.Form value was detected
hope it helps./.
[KaushaL] || BloG || Twitter
Don't forget to click "Mark as Answer" on the post that helped you.
sc1977
Member
26 Points
12 Posts
Re: A potentially dangerous Request.Form value was detected from the client
Mar 18, 2008 01:08 PM|LINK
If you are telling me: "The text doesn't need to contain valid HTML, just anything with opening and closing angled brackets ("<...>")."
I don't see how that will apply to the text entered of "ON="? I haven't entered any angled brackets.
sc1977
Member
26 Points
12 Posts
Re: A potentially dangerous Request.Form value was detected from the client
Mar 18, 2008 01:09 PM|LINK
I cannot encode the value because it doesn't even make it to the server btn click event (I ran it in debug mode) before it crashes out. The problem lies in the the trasport of the textvalue back to the server for processing.
stratboogie
Participant
842 Points
206 Posts
Re: A potentially dangerous Request.Form value was detected from the client
Mar 18, 2008 01:12 PM|LINK
It is trying to prevent SQL injection. INNER JOIN Table t ON t.Id = OtherTable1.Id
Hope this helps.
Tim
naimulah
Member
52 Points
25 Posts
Re: A potentially dangerous Request.Form value was detected from the client
Mar 18, 2008 01:15 PM|LINK
FYI about encoding
http://forums.asp.net/t/1151879.aspx
sc1977
Member
26 Points
12 Posts
Re: A potentially dangerous Request.Form value was detected from the client
Mar 18, 2008 01:20 PM|LINK
Thank you! At least I know why I can't have "ON ="!