HttpRequestValidationException error

6 posts, 0 answers
  1. Thomas
    Thomas avatar
    143 posts
    Member since:
    Feb 2007

    Posted 03 Nov 2009 Link to this post

    We have a RadComboBox with EnableLoadOnDemand set to true which can potentially contain angle brackets and such. The RadComboBox shows this information with no difficulty even though it does not appear to be HtmlEncoded. When an event fires and the system does a postback, we get an HttpRequestValidationException. If I HtmlEncode the item text before I populate the combobox, I see the encoding rather than the encoded character. I.e., I see & rather than an ampersand. I realize I can globally disable request validation but that is far from an ideal solution. Where do I need to HtmlEncode the text so that it displays properly and does not throw an exception on submitting the page?
  2. Simon
    Admin
    Simon avatar
    2281 posts

    Posted 06 Nov 2009 Link to this post

    Hello Thomas,

    Although not the ideal solution, disabling Request Validation would be the only solution in this case. Since the Form collection is read-only upon postback you cannot alter it to encode the value of the Input field and avoid the validation exception.

    On the other hand, you could set RequestValidation to false only for the page in question. Since Items' Texts are predefined, meaning that you know what HTML will be there, there should not be any security risks in disabling validation for the page unless AllowCustomText/EnableLoadOnDemand is set to true.

    In this case the user will be able to type some arbitrary text in the input. So, you could use HttpUtility.HtmlEncode at the server to encode the text of the Input. Additionally, if you have any other input fields you could encode their values as well using the same utility.

    Regards,
    Simon
    the Telerik team

    Instantly find answers to your questions on the new Telerik Support Portal.
    Watch a video on how to optimize your support resource searches and check out more tips on the blogs.
  3. UI for ASP.NET Ajax is Ready for VS 2017
  4. Thomas
    Thomas avatar
    143 posts
    Member since:
    Feb 2007

    Posted 06 Nov 2009 Link to this post

    I guess I'm a bit confused as to why this is happening at all. If the control is calling HtmlEncode on the data, then why the postback issue if all invalid characters are encoded? If the control is not calling HtmlEncode, then why do I see the encoding when I call HtmlEncode on loading the control?

    In my case, the combobox does have EnableLoadOnDemand set to true.

  5. Simon
    Admin
    Simon avatar
    2281 posts

    Posted 10 Nov 2009 Link to this post

    Hello Thomas,

    RadComboBox does not html-encode the text in the input internally.

    So, when EnableLoadOnDemand is set to true in your case, your option would be to disable RequestValidation on the page and manually encode/decode any input coming from/going to the client-side.

    Regards,
    Simon
    the Telerik team

    Instantly find answers to your questions on the new Telerik Support Portal.
    Watch a video on how to optimize your support resource searches and check out more tips on the blogs.
  6. Thomas
    Thomas avatar
    143 posts
    Member since:
    Feb 2007

    Posted 10 Nov 2009 Link to this post

    Why does the output get encoded twice when I manually load the combo box in my load on demand scenario? One would think that we need only html encode the values once when they are sent from the server. When I do that in my code behind, I see the encoding instead of the encoded characters which implies that the control is doing some html encoding and then html decoding it on the client?

    How would I go about doing the html encoding on the client before postback? We obviously need to handle both the scenario where the combo was loaded (so only the Text property) and where it was loaded.
  7. Simon
    Admin
    Simon avatar
    2281 posts

    Posted 16 Nov 2009 Link to this post

    Hi Thomas,

    This happens because RadComboBox actually encodes the Text of Items (so encoding them once again in the ItemsRequested event handler will result in what you describe).

    As to when to encode the Text in the input prior to posting back, you could do this in the respective event handler of the element triggering the postback, e.g. the click event of an input type button.

    Greetings,
    Simon
    the Telerik team

    Instantly find answers to your questions on the new Telerik Support Portal.
    Watch a video on how to optimize your support resource searches and check out more tips on the blogs.
Back to Top
UI for ASP.NET Ajax is Ready for VS 2017