About

I'm Mike Pope. I live in the Seattle area. I've been a technical writer and editor for over 30 years. I'm interested in software, language, music, movies, books, motorcycles, travel, and ... well, lots of stuff.

Read more ...

Blog Search


(Supports AND)

Google Ads

Feed

Subscribe to the RSS feed for this blog.

See this post for info on full versus truncated feeds.

Quote

Of course, the only practical use of the en dash is as subtle code to communicate, from one publishing professional to another, the abstract concept, "I am copy editor. Hear me roar." Recognizing the en dash can be like a secret handshake to our club.

"Editor", commenting on the "Subversive Copy Editor" blog



Navigation





<October 2014>
SMTWTFS
2829301234
567891011
12131415161718
19202122232425
2627282930311
2345678

Categories

  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  

Contact

Email me

Blog Statistics

Dates
First entry - 6/27/2003
Most recent entry - 10/16/2014

Totals
Posts - 2312
Comments - 2502
Hits - 1,674,131

Averages
Entries/day - 0.56
Comments/entry - 1.08
Hits/day - 405

Updated every 30 minutes. Last: 2:19 AM Pacific


  10:21 AM

By default, ASP.NET performs request validation to prevent people from uploading HTML markup or script to your site. If someone includes markup in a page that they post to your site, ASP.NET throws a big ol' error:



"Potentially dangerous Request.Form value" is a little dramatic; ASP.NET throws this error for even innocuous stuff, like <b> and <em>.

There are times when it's ok to let people submit HTML. For example, if you let people comment on things in your site, maybe you want to let them format their comments.

Update 30 June 2011: Ok, h/t to a tweet about this post: before proceeding, make sure you have read and understand the very important note at the end. :-)


The error message suggests a remedy. However, if you're working with ASP.NET Web Pages (.cshtml or .vbhtml files), the information isn't really relevant, in two ways:
  • The proposed fix — add requestValidation="2.0" to the Web.config file — isn't necessary. Don't do this if you're working with only .cshtml/.vbhtml pages.
  • The actual fix isn't listed.
Instead, to accept HTML, you can use code like this:
@{
var editedText = "";
if(IsPost){
editedText = Request.Unvalidated().Form["textbox1"];
}
}
As you can see, this syntax lets you be very specific about where you'll accept HTML; it's granular to the level of an individual field in a page. (You can see a few more examples in the Web Pages Quick Reference.)

A couple of notes here:
  • Remember that by default, Web Pages encodes anything that you display in the page. If you accept HTML and then want to turn around and display it as markup, use the Html.Raw method, like this:

    @Html.Raw(editedText)

  • Second, and very important, is that the point of request validation is to act as a first line of security defense against things like cross-site scripting attacks. If you're going to accept arbitrary HTML from arbitrary users, you need to sanitize the HTML before using it. There are libraries to help with this. (A StackOverflow post shows an example.)

Incidentally, the ASP.NET team knows that the error message is not up to date. It's been fixed. However, it won't be live until the next version of ASP.NET is released.

[categories]   ,

|