mike's web log

 

Blog Search


(Supports AND)

 

Google Ads

 

Feed

Subscribe to the RSS feed for this blog.

See this post for info on full versus truncated feeds.

 

Quote

The reason why so few good books are written is that so few people who can write know anything.

Walter Bagehot



 

Navigation






<April 2014>
SMTWTFS
303112345
6789101112
13141516171819
20212223242526
27282930123
45678910


 

25 Most-Visited Entries

 

Categories

  RSS
  RSS
  RSS
  RSS
  RSS
  RSS
  RSS
  RSS
  RSS
  RSS
  RSS
  RSS
  RSS
  RSS
  RSS
  RSS
  RSS
  RSS
  RSS
  RSS
  RSS
  RSS
  RSS
  RSS
  RSS
  RSS
 

Blogs I Read

 

Contact

Email me
 

Blog Statistics

Dates
First entry - 6/27/2003
Most recent entry - 4/3/2014

Totals
Posts - 2298
Comments - 2480
Hits - 1,618,994

Averages
Entries/day - 0.58
Comments/entry - 1.08
Hits/day - 410

Update every 30 minutes. Last: 8:08 PM Pacific

 

posted at 10:21 AM | | |

By default, ASP.NET performs request validation to prevent people from uploading HTML markup or script to your site. If someone includes markup in a page that they post to your site, ASP.NET throws a big ol' error:



"Potentially dangerous Request.Form value" is a little dramatic; ASP.NET throws this error for even innocuous stuff, like <b> and <em>.

There are times when it's ok to let people submit HTML. For example, if you let people comment on things in your site, maybe you want to let them format their comments.

Update 30 June 2011: Ok, h/t to a tweet about this post: before proceeding, make sure you have read and understand the very important note at the end. :-)


The error message suggests a remedy. However, if you're working with ASP.NET Web Pages (.cshtml or .vbhtml files), the information isn't really relevant, in two ways:
  • The proposed fix — add requestValidation="2.0" to the Web.config file — isn't necessary. Don't do this if you're working with only .cshtml/.vbhtml pages.
  • The actual fix isn't listed.
Instead, to accept HTML, you can use code like this:
@{
var editedText = "";
if(IsPost){
editedText = Request.Unvalidated().Form["textbox1"];
}
}
As you can see, this syntax lets you be very specific about where you'll accept HTML; it's granular to the level of an individual field in a page. (You can see a few more examples in the Web Pages Quick Reference.)

A couple of notes here:
  • Remember that by default, Web Pages encodes anything that you display in the page. If you accept HTML and then want to turn around and display it as markup, use the Html.Raw method, like this:

    @Html.Raw(editedText)

  • Second, and very important, is that the point of request validation is to act as a first line of security defense against things like cross-site scripting attacks. If you're going to accept arbitrary HTML from arbitrary users, you need to sanitize the HTML before using it. There are libraries to help with this. (A StackOverflow post shows an example.)

Incidentally, the ASP.NET team knows that the error message is not up to date. It's been fixed. However, it won't be live until the next version of ASP.NET is released.

[categories] ,