Richa Chauhan
Top achievements
Rank 1
Rank 1
Richa Chauhan
asked on 05 Aug 2011, 03:37 PM
Hi All,
If HTML tags (eg: <<test>>) are entered in the textboxes, throws exception.
This is a problem in asp.net textbox as well. To fix this problem there are two solutions I know:
1) turn of the ValidationRequest.
2) Write a javascript to encrypt/decrypt or replace the tags with < and >
I would like to know if anyone has a better suggestion to resolve this issue.
As turning off validationRequestion opens it for cross-site scripting attacks.
If I try the second option, when the page is rendered and displayed, it shows as < for fraction of seconds and then changes to <. This looks odd to the users. The problem exists both in VS2008/.net3.5 and VS2010/.net4.0
Any suggestions would be highly appreciated.
Thanks,
Richa
If HTML tags (eg: <<test>>) are entered in the textboxes, throws exception.
This is a problem in asp.net textbox as well. To fix this problem there are two solutions I know:
1) turn of the ValidationRequest.
2) Write a javascript to encrypt/decrypt or replace the tags with < and >
I would like to know if anyone has a better suggestion to resolve this issue.
As turning off validationRequestion opens it for cross-site scripting attacks.
If I try the second option, when the page is rendered and displayed, it shows as < for fraction of seconds and then changes to <. This looks odd to the users. The problem exists both in VS2008/.net3.5 and VS2010/.net4.0
Any suggestions would be highly appreciated.
Thanks,
Richa
4 Answers, 1 is accepted
0
psanchez117
Top achievements
Rank 1
Rank 1
answered on 09 Aug 2011, 06:28 PM
There is literally no help for this particular question. But, i was able to turn of validation on the page to get around the issue. If you turn of page validation though you need to write in the code to replace the dangerous characters with their html equivelant.
To turn of page validation, try this...
Modify your web.config file to allow you to turn off validation for a single page.
Then add the ValidateRequest="false" to the page directive
This should keep the page from validating before the postback happens. Then you can let your code modify your text accordingly.
Using javascript to do it (like you mentioned) presents the problem where the text is changed on the page. But if you use a method in the code behind, you can modify the text as you access it and not have to worry about the visual dilemma :)
I hope this is helpful.
Phil
To turn of page validation, try this...
Modify your web.config file to allow you to turn off validation for a single page.
<sytem.web> <httpRuntime requestValidationMode="2.0"/></system.web>Then add the ValidateRequest="false" to the page directive
<%@ Page Title="" Language="vb" AutoEventWireup="false" CodeBehind="page.aspx.vb" Inherits="project.page" ValidateRequest="false" %>This should keep the page from validating before the postback happens. Then you can let your code modify your text accordingly.
Using javascript to do it (like you mentioned) presents the problem where the text is changed on the page. But if you use a method in the code behind, you can modify the text as you access it and not have to worry about the visual dilemma :)
I hope this is helpful.
Phil
0
Richa Chauhan
Top achievements
Rank 1
Rank 1
answered on 09 Aug 2011, 07:58 PM
Phil,
Thanks for the response. In my app for now I've set the validaterequest to false.
I was just thinking iif there is any better solution for this problem.
Anyways thanks a lot for the response.
Richa
Thanks for the response. In my app for now I've set the validaterequest to false.
I was just thinking iif there is any better solution for this problem.
Anyways thanks a lot for the response.
Richa
0
Eric
Top achievements
Rank 1
Rank 1
answered on 22 Oct 2013, 07:54 PM
Has anyone found a way around this without turning off request validation? That feature is in there for a reason (security). I'm not sure if it helps, but it has to do with a hidden "ClientState" value populated with what looks like JSON-formatted values. Here's an example where I populated a textbox with "a <br /> b". What you're seeing is the runtime value. Line breaks added only for readability.
To make it a little more readable, here's the unescaped tags.
<input id="ctl00_txtDesc_ClientState" name="ctl00_txtDesc_ClientState"
type="hidden" autocomplete="off"
value="{"enabled":true,"emptyMessage":"",
"validationText":"a <br /> b",
"valueAsString":"a <br /> b",
"lastSetTextBoxValue":"a <br /> b"}">To make it a little more readable, here's the unescaped tags.
<input id="ctl00_txtDesc_ClientState" name="ctl00_txtDesc_ClientState"
type="hidden" autocomplete="off"
value='{"enabled":true,"emptyMessage":"",
"validationText":"a <br /> b",
"valueAsString":"a <br /> b",
"lastSetTextBoxValue":"a <br /> b"}'>0
Hello Eric,
You can use the RadEditor control. It will allow you to submit text like markup, since it validate itself internally and does not count on the asp validation.
Regards,
Vasil
Telerik
You can use the RadEditor control. It will allow you to submit text like markup, since it validate itself internally and does not count on the asp validation.
Regards,
Vasil
Telerik
If you want to get updates on new releases, tips and tricks and sneak peeks at our product labs directly from the developers working on the RadControls for ASP.NET AJAX, subscribe to the blog feed now.