About

I'm Mike Pope. I live in the Seattle area. I've been a technical writer and editor for over 30 years. I'm interested in software, language, music, movies, books, motorcycles, travel, and ... well, lots of stuff.

Read more ...

Blog Search


(Supports AND)

Google Ads

Feed

Subscribe to the RSS feed for this blog.

See this post for info on full versus truncated feeds.

Quote

The era of blogging, and now Twitter, has turned linguistics into a real-time sport.

Rex Hammock



Navigation





<July 2014>
SMTWTFS
293012345
6789101112
13141516171819
20212223242526
272829303112
3456789

Categories

  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  

Contact

Email me

Blog Statistics

Dates
First entry - 6/27/2003
Most recent entry - 7/23/2014

Totals
Posts - 2304
Comments - 2489
Hits - 1,649,559

Averages
Entries/day - 0.57
Comments/entry - 1.08
Hits/day - 407

Updated every 30 minutes. Last: 6:17 PM Pacific


  10:21 AM

By default, ASP.NET performs request validation to prevent people from uploading HTML markup or script to your site. If someone includes markup in a page that they post to your site, ASP.NET throws a big ol' error:



"Potentially dangerous Request.Form value" is a little dramatic; ASP.NET throws this error for even innocuous stuff, like <b> and <em>.

There are times when it's ok to let people submit HTML. For example, if you let people comment on things in your site, maybe you want to let them format their comments.

Update 30 June 2011: Ok, h/t to a tweet about this post: before proceeding, make sure you have read and understand the very important note at the end. :-)


The error message suggests a remedy. However, if you're working with ASP.NET Web Pages (.cshtml or .vbhtml files), the information isn't really relevant, in two ways:
  • The proposed fix — add requestValidation="2.0" to the Web.config file — isn't necessary. Don't do this if you're working with only .cshtml/.vbhtml pages.
  • The actual fix isn't listed.
Instead, to accept HTML, you can use code like this:
@{
var editedText = "";
if(IsPost){
editedText = Request.Unvalidated().Form["textbox1"];
}
}
As you can see, this syntax lets you be very specific about where you'll accept HTML; it's granular to the level of an individual field in a page. (You can see a few more examples in the Web Pages Quick Reference.)

A couple of notes here:
  • Remember that by default, Web Pages encodes anything that you display in the page. If you accept HTML and then want to turn around and display it as markup, use the Html.Raw method, like this:

    @Html.Raw(editedText)

  • Second, and very important, is that the point of request validation is to act as a first line of security defense against things like cross-site scripting attacks. If you're going to accept arbitrary HTML from arbitrary users, you need to sanitize the HTML before using it. There are libraries to help with this. (A StackOverflow post shows an example.)

Incidentally, the ASP.NET team knows that the error message is not up to date. It's been fixed. However, it won't be live until the next version of ASP.NET is released.

[categories]   ,

|