textboxes with HTML tags (eg: <<test>>) throws error

5 posts, 0 answers
  1. Richa Chauhan
    Richa Chauhan avatar
    5 posts
    Member since:
    Jan 2010

    Posted 05 Aug 2011 Link to this post

    Hi All,
    If HTML tags (eg: <<test>>) are entered in the textboxes, throws exception.
    This is a problem in asp.net textbox as well. To fix this problem there are two solutions I know:
    1) turn of the ValidationRequest.
    2) Write a javascript to encrypt/decrypt or replace the tags with &lt; and &gt;
    I would like to know if anyone has a better suggestion to resolve this issue.
    As turning off validationRequestion opens it for cross-site scripting attacks.
    If I try the second option, when the page is rendered and displayed, it shows as &lt; for fraction of seconds and then changes to <. This looks odd to the users. The problem exists both in VS2008/.net3.5 and VS2010/.net4.0
    Any suggestions would be highly appreciated.
  2. psanchez117
    psanchez117 avatar
    3 posts
    Member since:
    Jul 2012

    Posted 09 Aug 2011 Link to this post

    There is literally no help for this particular question. But, i was able to turn of validation on the page to get around the issue. If you turn of page validation though you need to write in the code to replace the dangerous characters with their html  equivelant.

    To turn of page validation, try this...

    Modify your web.config file to allow you to turn off validation for a single page.

         <httpRuntime requestValidationMode="2.0"/>

    Then add the ValidateRequest="false" to the page directive
    <%@ Page Title="" Language="vb" AutoEventWireup="false" CodeBehind="page.aspx.vb" Inherits="project.page" ValidateRequest="false" %>

    This should keep the page from validating before the postback happens. Then you can let your code modify your text accordingly.

    Using javascript to do it (like you mentioned) presents the problem where the text is changed on the page. But if you use a method in the code behind, you can modify the text as you access it and not have to worry about the visual dilemma :)

    I hope this is helpful.
  3. Richa Chauhan
    Richa Chauhan avatar
    5 posts
    Member since:
    Jan 2010

    Posted 09 Aug 2011 Link to this post

    Thanks for the response. In my app for now I've set the validaterequest to false.
    I was just thinking iif there is any better solution for this problem.
    Anyways thanks a lot for the response.
  4. Eric
    Eric avatar
    3 posts
    Member since:
    Mar 2013

    Posted 22 Oct 2013 Link to this post

    Has anyone found a way around this without turning off request validation? That feature is in there for a reason (security). I'm not sure if it helps, but it has to do with a hidden "ClientState" value populated with what looks like JSON-formatted values. Here's an example where I populated a textbox with "a <br /> b". What you're seeing is the runtime value. Line breaks added only for readability.

    <input id="ctl00_txtDesc_ClientState" name="ctl00_txtDesc_ClientState"
    type="hidden" autocomplete="off"
    &quot;validationText&quot;:&quot;a &lt;br /&gt; b&quot;,
    &quot;valueAsString&quot;:&quot;a &lt;br /&gt; b&quot;,
    &quot;lastSetTextBoxValue&quot;:&quot;a &lt;br /&gt; b&quot;}"

    To make it a little more readable, here's the unescaped tags.
    <input id="ctl00_txtDesc_ClientState" name="ctl00_txtDesc_ClientState"
    type="hidden" autocomplete="off"
    "validationText":"a <br /> b",
    "valueAsString":"a <
    br /> b",
    "lastSetTextBoxValue":"a <
    br /> b"}'>
  5. Vasil
    Vasil avatar
    1604 posts

    Posted 25 Oct 2013 Link to this post

    Hello Eric,

    You can use the RadEditor control. It will allow you to submit text like markup, since it validate itself internally and does not count on the asp validation.

    If you want to get updates on new releases, tips and tricks and sneak peeks at our product labs directly from the developers working on the RadControls for ASP.NET AJAX, subscribe to the blog feed now.
Back to Top