Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > <> tags typed into a asp.net textbox

Reply
Thread Tools

<> tags typed into a asp.net textbox

 
 
Mark
Guest
Posts: n/a
 
      08-09-2004
We have a multi-line textbox that users copy and paste email text into. The
pasted text frequently will contain a tag like <(E-Mail Removed)> or similar. I
believe .NET is protecting itself from code injection by throwing a global
error when this occurs. The exception message is pasted below.

We will NOT be able to train our users to eliminate all <> tags. What's the
best way to deal with this issue?

Thanks in advance.

Mark

EXCEPTION MESSAGE: A potentially dangerous Request.Form value was
detected from the client (txtNote="<(E-Mail Removed)> ").


 
Reply With Quote
 
 
 
 
Shiva
Guest
Posts: n/a
 
      08-09-2004
Hi,
This is a security measure implemented in ASP.NET (1.1) to avoid
script-injections. If you want to turn this off, add validateRequest="false"
to the <@Page > directive on the page.

To disable for the whole app, have this in your web.config (inside
<configuration></configuration>):

<system.web>
<pages validateRequest="false" />
</system.web>

HTH.

"Mark" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
We have a multi-line textbox that users copy and paste email text into. The
pasted text frequently will contain a tag like <(E-Mail Removed)> or similar. I
believe .NET is protecting itself from code injection by throwing a global
error when this occurs. The exception message is pasted below.

We will NOT be able to train our users to eliminate all <> tags. What's the
best way to deal with this issue?

Thanks in advance.

Mark

EXCEPTION MESSAGE: A potentially dangerous Request.Form value was
detected from the client (txtNote="<(E-Mail Removed)> ").



 
Reply With Quote
 
 
 
 
Mark
Guest
Posts: n/a
 
      08-09-2004
Great idea. However, does this render all Validation controls useless?
Like a Required Field Validator or similar?

Thanks again.

Mark

"Shiva" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi,
> This is a security measure implemented in ASP.NET (1.1) to avoid
> script-injections. If you want to turn this off, add

validateRequest="false"
> to the <@Page > directive on the page.
>
> To disable for the whole app, have this in your web.config (inside
> <configuration></configuration>):
>
> <system.web>
> <pages validateRequest="false" />
> </system.web>
>
> HTH.
>
> "Mark" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> We have a multi-line textbox that users copy and paste email text into.

The
> pasted text frequently will contain a tag like <(E-Mail Removed)> or similar.

I
> believe .NET is protecting itself from code injection by throwing a global
> error when this occurs. The exception message is pasted below.
>
> We will NOT be able to train our users to eliminate all <> tags. What's

the
> best way to deal with this issue?
>
> Thanks in advance.
>
> Mark
>
> EXCEPTION MESSAGE: A potentially dangerous Request.Form value was
> detected from the client (txtNote="<(E-Mail Removed)> ").
>
>
>



 
Reply With Quote
 
Steve Flitcroft
Guest
Posts: n/a
 
      08-09-2004
Nope just allows any tags to be input on forms without erroring
Doesnt stop any of the other validators
"Mark" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Great idea. However, does this render all Validation controls useless?
> Like a Required Field Validator or similar?
>
> Thanks again.
>
> Mark
>
> "Shiva" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Hi,
> > This is a security measure implemented in ASP.NET (1.1) to avoid
> > script-injections. If you want to turn this off, add

> validateRequest="false"
> > to the <@Page > directive on the page.
> >
> > To disable for the whole app, have this in your web.config (inside
> > <configuration></configuration>):
> >
> > <system.web>
> > <pages validateRequest="false" />
> > </system.web>
> >
> > HTH.
> >
> > "Mark" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> > We have a multi-line textbox that users copy and paste email text into.

> The
> > pasted text frequently will contain a tag like <(E-Mail Removed)> or

similar.
> I
> > believe .NET is protecting itself from code injection by throwing a

global
> > error when this occurs. The exception message is pasted below.
> >
> > We will NOT be able to train our users to eliminate all <> tags. What's

> the
> > best way to deal with this issue?
> >
> > Thanks in advance.
> >
> > Mark
> >
> > EXCEPTION MESSAGE: A potentially dangerous Request.Form value was
> > detected from the client (txtNote="<(E-Mail Removed)> ").
> >
> >
> >

>
>



 
Reply With Quote
 
Jim Cheshire [MSFT]
Guest
Posts: n/a
 
      08-09-2004
Mark,

We recommend that you not do this unless you pair it with writing some code
of your own to validate the request. In most cases, you can easily leave
validateRequest enabled in these circumstances by simply HTML-encoding the
data you are entering into the Textbox control.

Jim Cheshire [MSFT]
MCP+I, MCSE, MCSD, MCDBA
Microsoft Developer Support
http://www.velocityreviews.com/forums/(E-Mail Removed)

This post is provided "AS-IS" with no warranties and confers no rights.

--------------------
>From: "Steve Flitcroft" <(E-Mail Removed)>
>References: <(E-Mail Removed)>

<(E-Mail Removed)>
<(E-Mail Removed)>
>Subject: Re: <> tags typed into a asp.net textbox
>Date: Mon, 9 Aug 2004 16:59:41 +0100
>Lines: 56
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
>Message-ID: <Oe$(E-Mail Removed)>
>Newsgroups: microsoft.public.dotnet.framework.aspnet
>NNTP-Posting-Host: 62-249-220-208.no-dns-yet.enta.net 62.249.220.208
>Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP09.phx.gbl
>Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:253142
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
>
>Nope just allows any tags to be input on forms without erroring
>Doesnt stop any of the other validators
>"Mark" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed)...
>> Great idea. However, does this render all Validation controls useless?
>> Like a Required Field Validator or similar?
>>
>> Thanks again.
>>
>> Mark
>>
>> "Shiva" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>> > Hi,
>> > This is a security measure implemented in ASP.NET (1.1) to avoid
>> > script-injections. If you want to turn this off, add

>> validateRequest="false"
>> > to the <@Page > directive on the page.
>> >
>> > To disable for the whole app, have this in your web.config (inside
>> > <configuration></configuration>):
>> >
>> > <system.web>
>> > <pages validateRequest="false" />
>> > </system.web>
>> >
>> > HTH.
>> >
>> > "Mark" <(E-Mail Removed)> wrote in message
>> > news:(E-Mail Removed)...
>> > We have a multi-line textbox that users copy and paste email text into.

>> The
>> > pasted text frequently will contain a tag like <(E-Mail Removed)> or

>similar.
>> I
>> > believe .NET is protecting itself from code injection by throwing a

>global
>> > error when this occurs. The exception message is pasted below.
>> >
>> > We will NOT be able to train our users to eliminate all <> tags.

What's
>> the
>> > best way to deal with this issue?
>> >
>> > Thanks in advance.
>> >
>> > Mark
>> >
>> > EXCEPTION MESSAGE: A potentially dangerous Request.Form value was
>> > detected from the client (txtNote="<(E-Mail Removed)> ").
>> >
>> >
>> >

>>
>>

>
>
>


 
Reply With Quote
 
Mark
Guest
Posts: n/a
 
      08-09-2004
Thanks Jim,

By "writing some code" I believe you're implying server side code. However,
I don't believe ANY of the server side code will even execute with the
validateRequest property set to "true". I believe the "HTML-encoding" would
also require server side code, which would similarly bomb. Correct? Am I
missing something here? (very likely)

Thanks again.

Mark

"Jim Cheshire [MSFT]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Mark,
>
> We recommend that you not do this unless you pair it with writing some

code
> of your own to validate the request. In most cases, you can easily leave
> validateRequest enabled in these circumstances by simply HTML-encoding the
> data you are entering into the Textbox control.
>
> Jim Cheshire [MSFT]
> MCP+I, MCSE, MCSD, MCDBA
> Microsoft Developer Support
> (E-Mail Removed)
>
> This post is provided "AS-IS" with no warranties and confers no rights.
>
> --------------------
> >From: "Steve Flitcroft" <(E-Mail Removed)>
> >References: <(E-Mail Removed)>

> <(E-Mail Removed)>
> <(E-Mail Removed)>
> >Subject: Re: <> tags typed into a asp.net textbox
> >Date: Mon, 9 Aug 2004 16:59:41 +0100
> >Lines: 56
> >X-Priority: 3
> >X-MSMail-Priority: Normal
> >X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
> >Message-ID: <Oe$(E-Mail Removed)>
> >Newsgroups: microsoft.public.dotnet.framework.aspnet
> >NNTP-Posting-Host: 62-249-220-208.no-dns-yet.enta.net 62.249.220.208
> >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP09.phx.gbl
> >Xref: cpmsftngxa06.phx.gbl

microsoft.public.dotnet.framework.aspnet:253142
> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
> >
> >Nope just allows any tags to be input on forms without erroring
> >Doesnt stop any of the other validators
> >"Mark" <(E-Mail Removed)> wrote in message
> >news:(E-Mail Removed)...
> >> Great idea. However, does this render all Validation controls

useless?
> >> Like a Required Field Validator or similar?
> >>
> >> Thanks again.
> >>
> >> Mark
> >>
> >> "Shiva" <(E-Mail Removed)> wrote in message
> >> news:(E-Mail Removed)...
> >> > Hi,
> >> > This is a security measure implemented in ASP.NET (1.1) to avoid
> >> > script-injections. If you want to turn this off, add
> >> validateRequest="false"
> >> > to the <@Page > directive on the page.
> >> >
> >> > To disable for the whole app, have this in your web.config (inside
> >> > <configuration></configuration>):
> >> >
> >> > <system.web>
> >> > <pages validateRequest="false" />
> >> > </system.web>
> >> >
> >> > HTH.
> >> >
> >> > "Mark" <(E-Mail Removed)> wrote in message
> >> > news:(E-Mail Removed)...
> >> > We have a multi-line textbox that users copy and paste email text

into.
> >> The
> >> > pasted text frequently will contain a tag like <(E-Mail Removed)> or

> >similar.
> >> I
> >> > believe .NET is protecting itself from code injection by throwing a

> >global
> >> > error when this occurs. The exception message is pasted below.
> >> >
> >> > We will NOT be able to train our users to eliminate all <> tags.

> What's
> >> the
> >> > best way to deal with this issue?
> >> >
> >> > Thanks in advance.
> >> >
> >> > Mark
> >> >
> >> > EXCEPTION MESSAGE: A potentially dangerous Request.Form value was
> >> > detected from the client (txtNote="<(E-Mail Removed)> ").
> >> >
> >> >
> >> >
> >>
> >>

> >
> >
> >

>



 
Reply With Quote
 
=?Utf-8?B?UnlhbiBSaWRkZWxs?=
Guest
Posts: n/a
 
      08-09-2004
You can do
validateRequest="false" in the page directive.

Then in code-behind you can do something like

string myString = HttpUtility.HtmlEncode(MyTextBox.Text);

"Mark" wrote:

> Thanks Jim,
>
> By "writing some code" I believe you're implying server side code. However,
> I don't believe ANY of the server side code will even execute with the
> validateRequest property set to "true". I believe the "HTML-encoding" would
> also require server side code, which would similarly bomb. Correct? Am I
> missing something here? (very likely)
>
> Thanks again.
>
> Mark
>
> "Jim Cheshire [MSFT]" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Mark,
> >
> > We recommend that you not do this unless you pair it with writing some

> code
> > of your own to validate the request. In most cases, you can easily leave
> > validateRequest enabled in these circumstances by simply HTML-encoding the
> > data you are entering into the Textbox control.
> >
> > Jim Cheshire [MSFT]
> > MCP+I, MCSE, MCSD, MCDBA
> > Microsoft Developer Support
> > (E-Mail Removed)
> >
> > This post is provided "AS-IS" with no warranties and confers no rights.
> >
> > --------------------
> > >From: "Steve Flitcroft" <(E-Mail Removed)>
> > >References: <(E-Mail Removed)>

> > <(E-Mail Removed)>
> > <(E-Mail Removed)>
> > >Subject: Re: <> tags typed into a asp.net textbox
> > >Date: Mon, 9 Aug 2004 16:59:41 +0100
> > >Lines: 56
> > >X-Priority: 3
> > >X-MSMail-Priority: Normal
> > >X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
> > >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
> > >Message-ID: <Oe$(E-Mail Removed)>
> > >Newsgroups: microsoft.public.dotnet.framework.aspnet
> > >NNTP-Posting-Host: 62-249-220-208.no-dns-yet.enta.net 62.249.220.208
> > >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP09.phx.gbl
> > >Xref: cpmsftngxa06.phx.gbl

> microsoft.public.dotnet.framework.aspnet:253142
> > >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
> > >
> > >Nope just allows any tags to be input on forms without erroring
> > >Doesnt stop any of the other validators
> > >"Mark" <(E-Mail Removed)> wrote in message
> > >news:(E-Mail Removed)...
> > >> Great idea. However, does this render all Validation controls

> useless?
> > >> Like a Required Field Validator or similar?
> > >>
> > >> Thanks again.
> > >>
> > >> Mark
> > >>
> > >> "Shiva" <(E-Mail Removed)> wrote in message
> > >> news:(E-Mail Removed)...
> > >> > Hi,
> > >> > This is a security measure implemented in ASP.NET (1.1) to avoid
> > >> > script-injections. If you want to turn this off, add
> > >> validateRequest="false"
> > >> > to the <@Page > directive on the page.
> > >> >
> > >> > To disable for the whole app, have this in your web.config (inside
> > >> > <configuration></configuration>):
> > >> >
> > >> > <system.web>
> > >> > <pages validateRequest="false" />
> > >> > </system.web>
> > >> >
> > >> > HTH.
> > >> >
> > >> > "Mark" <(E-Mail Removed)> wrote in message
> > >> > news:(E-Mail Removed)...
> > >> > We have a multi-line textbox that users copy and paste email text

> into.
> > >> The
> > >> > pasted text frequently will contain a tag like <(E-Mail Removed)> or
> > >similar.
> > >> I
> > >> > believe .NET is protecting itself from code injection by throwing a
> > >global
> > >> > error when this occurs. The exception message is pasted below.
> > >> >
> > >> > We will NOT be able to train our users to eliminate all <> tags.

> > What's
> > >> the
> > >> > best way to deal with this issue?
> > >> >
> > >> > Thanks in advance.
> > >> >
> > >> > Mark
> > >> >
> > >> > EXCEPTION MESSAGE: A potentially dangerous Request.Form value was
> > >> > detected from the client (txtNote="<(E-Mail Removed)> ").
> > >> >
> > >> >
> > >> >
> > >>
> > >>
> > >
> > >
> > >

> >

>
>
>

 
Reply With Quote
 
Jim Cheshire [MSFT]
Guest
Posts: n/a
 
      08-10-2004
Hi Mark,

If you want to leave validateRequest set to true, you will encode the data
on the client. You can do that by using the escape function in JavaScript.
You will then need to use UrlDecode against the data on the server side.

Jim Cheshire [MSFT]
MCP+I, MCSE, MCSD, MCDBA
Microsoft Developer Support
(E-Mail Removed)

This post is provided "AS-IS" with no warranties and confers no rights.


--------------------
>From: "Mark" <(E-Mail Removed)>
>References: <(E-Mail Removed)>

<(E-Mail Removed)>
<(E-Mail Removed)>
<Oe$(E-Mail Removed)>
<(E-Mail Removed)>
>Subject: Re: <> tags typed into a asp.net textbox
>Date: Mon, 9 Aug 2004 11:16:52 -0500
>Lines: 112
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.3790.181
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.181
>Message-ID: <(E-Mail Removed)>
>Newsgroups: microsoft.public.dotnet.framework.aspnet
>NNTP-Posting-Host: x15-238.cce.umn.edu 134.84.15.238
>Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftn gp13.phx.gbl
>Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:253149
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
>
>Thanks Jim,
>
>By "writing some code" I believe you're implying server side code.

However,
>I don't believe ANY of the server side code will even execute with the
>validateRequest property set to "true". I believe the "HTML-encoding"

would
>also require server side code, which would similarly bomb. Correct? Am I
>missing something here? (very likely)
>
>Thanks again.
>
>Mark
>
>"Jim Cheshire [MSFT]" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed)...
>> Mark,
>>
>> We recommend that you not do this unless you pair it with writing some

>code
>> of your own to validate the request. In most cases, you can easily leave
>> validateRequest enabled in these circumstances by simply HTML-encoding

the
>> data you are entering into the Textbox control.
>>
>> Jim Cheshire [MSFT]
>> MCP+I, MCSE, MCSD, MCDBA
>> Microsoft Developer Support
>> (E-Mail Removed)
>>
>> This post is provided "AS-IS" with no warranties and confers no rights.
>>
>> --------------------
>> >From: "Steve Flitcroft" <(E-Mail Removed)>
>> >References: <(E-Mail Removed)>

>> <(E-Mail Removed)>
>> <(E-Mail Removed)>
>> >Subject: Re: <> tags typed into a asp.net textbox
>> >Date: Mon, 9 Aug 2004 16:59:41 +0100
>> >Lines: 56
>> >X-Priority: 3
>> >X-MSMail-Priority: Normal
>> >X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
>> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
>> >Message-ID: <Oe$(E-Mail Removed)>
>> >Newsgroups: microsoft.public.dotnet.framework.aspnet
>> >NNTP-Posting-Host: 62-249-220-208.no-dns-yet.enta.net 62.249.220.208
>> >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP09.phx.gbl
>> >Xref: cpmsftngxa06.phx.gbl

>microsoft.public.dotnet.framework.aspnet:253142
>> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
>> >
>> >Nope just allows any tags to be input on forms without erroring
>> >Doesnt stop any of the other validators
>> >"Mark" <(E-Mail Removed)> wrote in message
>> >news:(E-Mail Removed)...
>> >> Great idea. However, does this render all Validation controls

>useless?
>> >> Like a Required Field Validator or similar?
>> >>
>> >> Thanks again.
>> >>
>> >> Mark
>> >>
>> >> "Shiva" <(E-Mail Removed)> wrote in message
>> >> news:(E-Mail Removed)...
>> >> > Hi,
>> >> > This is a security measure implemented in ASP.NET (1.1) to avoid
>> >> > script-injections. If you want to turn this off, add
>> >> validateRequest="false"
>> >> > to the <@Page > directive on the page.
>> >> >
>> >> > To disable for the whole app, have this in your web.config (inside
>> >> > <configuration></configuration>):
>> >> >
>> >> > <system.web>
>> >> > <pages validateRequest="false" />
>> >> > </system.web>
>> >> >
>> >> > HTH.
>> >> >
>> >> > "Mark" <(E-Mail Removed)> wrote in message
>> >> > news:(E-Mail Removed)...
>> >> > We have a multi-line textbox that users copy and paste email text

>into.
>> >> The
>> >> > pasted text frequently will contain a tag like <(E-Mail Removed)> or
>> >similar.
>> >> I
>> >> > believe .NET is protecting itself from code injection by throwing a
>> >global
>> >> > error when this occurs. The exception message is pasted below.
>> >> >
>> >> > We will NOT be able to train our users to eliminate all <> tags.

>> What's
>> >> the
>> >> > best way to deal with this issue?
>> >> >
>> >> > Thanks in advance.
>> >> >
>> >> > Mark
>> >> >
>> >> > EXCEPTION MESSAGE: A potentially dangerous Request.Form value was
>> >> > detected from the client (txtNote="<(E-Mail Removed)> ").
>> >> >
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >
>> >

>>

>
>
>


 
Reply With Quote
 
Oytun YILMAZ
Guest
Posts: n/a
 
      08-10-2004
On Mon, 9 Aug 2004 10:32:52 -0500, Mark wrote:

> We have a multi-line textbox that users copy and paste email text into. The
> pasted text frequently will contain a tag like <(E-Mail Removed)> or similar. I
> believe .NET is protecting itself from code injection by throwing a global
> error when this occurs. The exception message is pasted below.
>
> We will NOT be able to train our users to eliminate all <> tags. What's the
> best way to deal with this issue?
>
> Thanks in advance.
>
> Mark
>
> EXCEPTION MESSAGE: A potentially dangerous Request.Form value was
> detected from the client (txtNote="<(E-Mail Removed)> ").


Request Validation is an ASP.NET feature, it could be turned off but
turning off is not recommended.

for a single page:
<%@ Page validateRequest="false" %>

for entire app:
<configuration>
<system.web>
<pages validateRequest="false" />
</system.web>
</configuration>



A good detailed description is at the official site:
http://www.asp.net/faq/RequestValidation.aspx


- Oytun YILMAZ
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
mix statically typed with dynamically typed Yingjie Lan Python 4 01-29-2010 08:50 AM
TextBox control not accepting Information typed in.. Mad Bull ASP .Net 3 07-20-2006 09:18 AM
How can I add a row from a typed datatable to another instance of that typed datatable? Ersin Gençtürk ASP .Net 1 10-06-2004 01:11 PM
copying a datatable content from an untyped dataset into a table which is inside a typed dataset Nedu N ASP .Net 2 10-31-2003 01:05 PM
Ccopying a datatable content from an untyped dataset into a table which is inside a typed dataset Nedu N ASP .Net 1 10-31-2003 02:39 AM



Advertisments