When the user submits a form filled with a HTML tag to the server, ASP.NET checks if there is any tag in the form, and if there is it show an error:
Quote
A potentially dangerous Request.Form value was detected from the client.
Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.
Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.
Why?
ASP.NET checks the content of the form sent to the server to prevent cross-site scripting(xss). Without the request validation feature, a user could, for example, sent a form with a javascript that redirects to another website. Then when you show that content, it is interpreted by the browser that executes the script. Note that anything between '<' and '>' is considered dangerous, and it doesn't have to necessarily closes the tag with '<' ("<a" would have be considered potentially dangerous). ASP.NET validates query string as well.
Try it:
<%@ Page Language="C#" ValidateRequest="false" %>
<html>
<script runat="server">
void submitclick(Object sender, EventArgs e) { Response.Write(textbox.Text); }
</script>
<body>
<form runat="server">
<asp:TextBox id="textbox" runat="server" Text="<script>window.location='http://google.com'</script>"/>
<asp:Button id="submitbutton" runat="server" onclick="submitclick" Text="Submit" />
</form>
</body>
</html>
The problem
This feature works fine but what if you do need the user to enter content between the characters '<' and '>'? And even if you want to restrict the user input, how do you show the error in a friendly way?
First-off
To deal with this by yourself you have to disable the request validation feature. You have to because the validation is done by ASP.NET before any of your code.
You can disable the request validation in the page by setting the attribute validateRequest to false:
<%@ Page ValidateRequest="false" %>
Or you can disable it for your entire application in the web.config file:
<configuration>
<system.web>
<pages validateRequest="false" />
</system.web>
</configuration>
Encoding the content
You can use the method Server.HTMLEncode to encode the characters to their HTML encoded equivalent. '<' is converted to < and '>' to >. This way they are interpreted as simply characters, as text.
Try it:
<%@ Page Language="C#" ValidateRequest="false" %>
<html>
<script runat="server">
void submitclick(Object sender, EventArgs e) { Response.Write(Server.HtmlEncode(textbox.Text)); }
</script>
<body>
<form runat="server">
<asp:TextBox id="textbox" runat="server" Text="<script>window.location='http://google.com'</script>"/>
<asp:Button id="submitbutton" runat="server" onclick="submitclick" Text="Submit" />
</form>
</body>
</html>
Friendly error message
If you want to make the user ensure that the content does not contain dangerous value you can use your own validator.
Try it:
<%@ Page Language="C#" ValidateRequest="false" %>
<html>
<script runat="server">
void submitclick(Object sender, EventArgs e) { Response.Write(textbox.Text); }
</script>
<body>
<form id="Form1" runat="server">
<asp:TextBox id="textbox" runat="server" Text="<script>window.location='http://google.com'</script>"/>
<asp:Button id="submitbutton" runat="server" onclick="submitclick" Text="Submit" />
<asp:RegularExpressionValidator runat="server" ControlToValidate="textbox" ValidationExpression="^[\w]+$" ErrorMessage="Use only alphanumeric characters" />
</form>
</body>
</html>
Changing the content
Another approach is to remove the tags from the user input.
Try it:
<%@ Page Language="C#" ValidateRequest="false" %>
<html>
<script runat="server">
void submitclick(Object sender, EventArgs e) { Response.Write(Regex.Replace(textbox.Text, "\\<[^\\>]*>", "")); }
</script>
<body>
<form id="Form1" runat="server">
<asp:TextBox id="textbox" runat="server" Text="<script>window.location='http://google.com'</script>" />
<asp:Button id="submitbutton" runat="server" onclick="submitclick" Text="Submit" />
</form>
</body>
</html>
Remember
When disabling the validation request on the page make sure to validate all input from that page.
When disabling the request validation on the application make sure to validate the entire application.
Important
The examples are just to illustrate the given solution, remember to validate as well at the server side.
References
How To: Prevent Cross-Site Scripting in ASP.NET
Inside the new ValidateRequest feature - Followers of the IHttpHandler
Cross-site scripting - Wikipedia, the free encyclopedia
MultiQuote
| 