Hi All,
I have noticed a problem with the Grid inputs.
Given a normal Grid setup and a Bound string Column, a user hits Add and enters in the string :
<Test
Hitting save will yeild a framework error that starts with :
A potentially dangerous Request.Form value was detected from the client ...
This is not acceptable, as we have no control over user entry and we infact encourage the use of markup to format the inputs used later in forms. I realise that the use of an HTMLEditorColumn will in some way remove the problem for this field, but the risk still applies for all text inputs in grids.
What can be done about this? Can this error be trapped and dealt with client-side?
Will client-side scripting need to be implemented to "sanitise" the input before sending the request back to the server? If so, what rules do I need to apply to sanatise the data?
Thanks for your help,
Steele.
I have noticed a problem with the Grid inputs.
Given a normal Grid setup and a Bound string Column, a user hits Add and enters in the string :
<Test
Hitting save will yeild a framework error that starts with :
A potentially dangerous Request.Form value was detected from the client ...
This is not acceptable, as we have no control over user entry and we infact encourage the use of markup to format the inputs used later in forms. I realise that the use of an HTMLEditorColumn will in some way remove the problem for this field, but the risk still applies for all text inputs in grids.
What can be done about this? Can this error be trapped and dealt with client-side?
Will client-side scripting need to be implemented to "sanitise" the input before sending the request back to the server? If so, what rules do I need to apply to sanatise the data?
Thanks for your help,
Steele.
1 Answer, 1 is accepted
0
Hello Steele,
Your case is not related particularly to RadControls, as this is a general ASP.NET issue. There are numerous discussions and alternative solutions online. Let us know if you have any questions implementing them specifically in a RadControls context.
http://www.google.com/search?q=A+potentially+dangerous+Request.Form+value+was+detected+from+the+client
"Will client-side scripting need to be implemented to "sanitise" the input before sending the request back to the server?"
Theoretically - yes, you can modify (encode) textbox values client-side and decode them server-side.
http://www.w3schools.com/jsref/jsref_escape.asp
Sincerely yours,
Dimo
the Telerik team
Your case is not related particularly to RadControls, as this is a general ASP.NET issue. There are numerous discussions and alternative solutions online. Let us know if you have any questions implementing them specifically in a RadControls context.
http://www.google.com/search?q=A+potentially+dangerous+Request.Form+value+was+detected+from+the+client
"Will client-side scripting need to be implemented to "sanitise" the input before sending the request back to the server?"
Theoretically - yes, you can modify (encode) textbox values client-side and decode them server-side.
http://www.w3schools.com/jsref/jsref_escape.asp
Sincerely yours,
Dimo
the Telerik team
Do you want to have your say when we set our development plans?
Do you want to know when a feature you care about is added or when a bug fixed?
Explore the
Telerik Public Issue Tracking
system and vote to affect the priority of the items