Security problem with Request.Form

Oct 12, 2010 at 12:24 AM


I'm implementing the editor (named Myeditor) control, but I have some other listboxes to determine which data the user will be entering, and they have autopostback activated.

The problem is, when a listbox sends a post action, I get this error:

A potentially dangerous Request.Form value was detected from the client (Myeditor$editortext="<p><br></p>").

Now, I can disable that checking using ValidateRequest="false", but I'd like to know if are there another method to do it.

Thanks a lot!!

Oct 12, 2010 at 12:47 AM

Hello James, you can selectively disable requestvalidation at the page level ( on that particular page the editor sits) and instead make your own validation rules on the input manually and taking precautions like htmlencoding/decoding and selectively disabling markup you do not want posted back. Unfortunately, the default behavior of requestvalidation in happens quite early and it's an all or nothing approach that simply chokes when html is present in the request.

When you feel you want to collect html, ASP.NET simply throws the ball back into your hands and leaves this responsibility up to you to perform the correct validations. You may check out a sandbox project that microsoft provides for validating properly such input :



Oct 24, 2010 at 8:30 PM

Hello, in the new release I have also added minimum documentation for the editor. I have added a small section regarding RequestValidation :

You or someone else reading this thread might find it useful.