About

I'm Mike Pope. I live in the Seattle area. I've been a technical writer and editor for over 30 years. I'm interested in software, language, music, movies, books, motorcycles, travel, and ... well, lots of stuff.

Read more ...

Blog Search


(Supports AND)

Google Ads

Feed

Subscribe to the RSS feed for this blog.

See this post for info on full versus truncated feeds.

Quote

When you try to measure people's performance, you have to take into account how they are going to react. Inevitably, people will figure out how to get the number you want at the expense of what you are not measuring, including things you can't measure, such as morale and customer goodwill.

Joel Spolsky (summarizing Robert Austin)



Navigation





<September 2014>
SMTWTFS
31123456
78910111213
14151617181920
21222324252627
2829301234
567891011

Categories

  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  

Contact

Email me

Blog Statistics

Dates
First entry - 6/27/2003
Most recent entry - 9/17/2014

Totals
Posts - 2307
Comments - 2497
Hits - 1,664,080

Averages
Entries/day - 0.56
Comments/entry - 1.08
Hits/day - 406

Updated every 30 minutes. Last: 10:36 PM Pacific


  10:21 AM

By default, ASP.NET performs request validation to prevent people from uploading HTML markup or script to your site. If someone includes markup in a page that they post to your site, ASP.NET throws a big ol' error:



"Potentially dangerous Request.Form value" is a little dramatic; ASP.NET throws this error for even innocuous stuff, like <b> and <em>.

There are times when it's ok to let people submit HTML. For example, if you let people comment on things in your site, maybe you want to let them format their comments.

Update 30 June 2011: Ok, h/t to a tweet about this post: before proceeding, make sure you have read and understand the very important note at the end. :-)


The error message suggests a remedy. However, if you're working with ASP.NET Web Pages (.cshtml or .vbhtml files), the information isn't really relevant, in two ways:
  • The proposed fix — add requestValidation="2.0" to the Web.config file — isn't necessary. Don't do this if you're working with only .cshtml/.vbhtml pages.
  • The actual fix isn't listed.
Instead, to accept HTML, you can use code like this:
@{
var editedText = "";
if(IsPost){
editedText = Request.Unvalidated().Form["textbox1"];
}
}
As you can see, this syntax lets you be very specific about where you'll accept HTML; it's granular to the level of an individual field in a page. (You can see a few more examples in the Web Pages Quick Reference.)

A couple of notes here:
  • Remember that by default, Web Pages encodes anything that you display in the page. If you accept HTML and then want to turn around and display it as markup, use the Html.Raw method, like this:

    @Html.Raw(editedText)

  • Second, and very important, is that the point of request validation is to act as a first line of security defense against things like cross-site scripting attacks. If you're going to accept arbitrary HTML from arbitrary users, you need to sanitize the HTML before using it. There are libraries to help with this. (A StackOverflow post shows an example.)

Incidentally, the ASP.NET team knows that the error message is not up to date. It's been fixed. However, it won't be live until the next version of ASP.NET is released.

[categories]   ,

|