Last post Feb 10, 2007 12:06 PM by folkertsj
Aug 18, 2006 11:05 PM|odamsr|LINK
Has anyone gotten the freetextbox control to work on your site? I am having a problem with trying to save the data to a sql database. It gives me the following error:
"A potential dangerous request.form was detected from the client."
I then tried to pass the value to an email and it still gave me the error. The field in the table is ntext per the freetextbox's website.
Aug 19, 2006 05:00 AM|XIII|LINK
with freetextbox it's possible to inject markup that ASP.NET, by default, considers to be a potential threat and could result in XSS (cross site scripting) attacks. However you can turn it off, but be carefull because you're opening your site to attacks
in this case, by setting the ValidateRequest setting in the @Page directive of your page or setting it in the <pages> section of the web.config to get it set site wide.
Taken from MSDN:
This feature is enabled in the machine configuration file (Machine.config). You can disable it in your application configuration file (Web.config) or on the page by setting this attribute to
Note This functionality helps reduce the risk of cross-site scripting attacks for straightforward pages and ASP.NET applications. An application that does not properly validate user input can suffer from many
types of malformed input attacks, including cross-site scripting and SQL Server injection attacks. There is no substitute for carefully evaluating all forms of input in an application and making sure that they are either properly validated or encoded, or that
the application is escaped prior to manipulating data or sending information back to the client. For more information about cross-site scripting, see http://www.cert.org/advisories/CA-2000-02.html.
Aug 19, 2006 10:21 AM|odamsr|LINK
Feb 06, 2007 03:36 PM|FollowTheSon|LINK
Can anyone tell me if there is another workaround for this? I've been adding this "ValidateRequest=false" and I STILL periodically get this error. Plus, what if you don't want to turn Validation off?!?! Is there no other workaround? I find that hard to believe.
Thanks in advance!
Feb 07, 2007 12:28 PM|jwadsworth|LINK
You should be using the Server.HtmlEncode and Server.HtmlDecode. Check out this article. It should solve this issue for you.
Feb 10, 2007 02:29 AM|folkertsj|LINK
Doesn't the editor aready render it as html without doing the html.encode? just curious on this becuase I have tried everything else and i have not had anything workign but to set the requestvalidate="false". Just curious.
Feb 10, 2007 11:33 AM|jwadsworth|LINK
I"m not sure how the FreeTextBox control works. However, I just tested it in my kit and if I remove the HTMLEncode, and enter in <script> alert('Hello'); </script>, I get the hello alert when my page loads the saved content of the freetextbox.
Feb 10, 2007 12:06 PM|folkertsj|LINK
Weird, I have been using in innova editor and that seems to work petty well, it has a .dll for it and an image manager built right in so that is nice. Like i said earlier, i am not all the familiar with other editors but with my experience with them, they
normally all render the text as html without having to declare server.htmlencode. Different programs i guess render the text in different ways. I appreciate the response and have a good day. Keep up the good work.