Security problem with Request.Form

Oct 11, 2010 at 11:24 PM

Hi!

I'm implementing the editor (named Myeditor) control, but I have some other listboxes to determine which data the user will be entering, and they have autopostback activated.

The problem is, when a listbox sends a post action, I get this error:

A potentially dangerous Request.Form value was detected from the client (Myeditor$editortext="<p><br></p>").

Now, I can disable that checking using ValidateRequest="false", but I'd like to know if are there another method to do it.

Thanks a lot!!

Coordinator
Oct 11, 2010 at 11:47 PM

Hello James, you can selectively disable requestvalidation at the page level ( on that particular page the editor sits) and instead make your own validation rules on the input manually and taking precautions like htmlencoding/decoding and selectively disabling markup you do not want posted back. Unfortunately, the default behavior of requestvalidation in asp.net happens quite early and it's an all or nothing approach that simply chokes when html is present in the request.

When you feel you want to collect html, ASP.NET simply throws the ball back into your hands and leaves this responsibility up to you to perform the correct validations. You may check out a sandbox project that microsoft provides for validating properly such input :

http://msdn.microsoft.com/en-us/security/aa973814.aspx

Alessandro

 

Coordinator
Oct 24, 2010 at 7:30 PM

Hello, in the new release I have also added minimum documentation for the editor. I have added a small section regarding RequestValidation : 

http://docs.typps.com/2010/10/html-editor.html#requestvalidation

You or someone else reading this thread might find it useful.

Alessandro