System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value

.NET
1

I’m working on a form to allow users to submit a request to our help desk system.

I recently had a user cut and paste some text from a work document into a text field. It had some bolded text in it, so then it caused the form to crash.

“System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client”

Here is a snipped of the code, I’m trying to html encode it, but I must not have the syntax correct since I am still getting the error if I put some simple <b> strong</b> tags in the text field to deal with this problem gracefully.

[SIZE=2]

[/SIZE]
[SIZE=2]MessageBody = MessageBody & [COLOR=#a31515][COLOR=#a31515]"<strong>Application Name: </strong>&nbsp;"[/COLOR][/COLOR] & txtApplicationName.Text & [COLOR=#a31515][COLOR=#a31515]"<br/>"
[/COLOR][/COLOR][/SIZE][SIZE=2]MessageBody = MessageBody & [COLOR=#a31515][COLOR=#a31515]"<strong>Existing Application Group:</strong>&nbsp;"[/COLOR][/COLOR] & txtExistingApplicationGroup.Text & [COLOR=#a31515][COLOR=#a31515]"<br/>"
[/COLOR][/COLOR][/SIZE][SIZE=2]MessageBody = MessageBody & [COLOR=#a31515][COLOR=#a31515]"<strong>Rack Location:</strong>&nbsp;"[/COLOR][/COLOR] & txtRackLocation.Text & [COLOR=#a31515][COLOR=#a31515]"<br/>"
[/COLOR][/COLOR][/SIZE][SIZE=2]MessageBody = MessageBody & [COLOR=#a31515][COLOR=#a31515]"<strong>Additional Comments / Requirements:</strong><br />"[/COLOR][/COLOR] & Server.HtmlEncode(txtAdditionalRequirements.Text) & [COLOR=#a31515][COLOR=#a31515]"<br/><br/></span>"
[/COLOR][/COLOR][/SIZE][SIZE=2]

[/SIZE]

If anyone can see what it is I am doing wrong, It would be much appreciated.

I know I can disable the form validation for the complete page, but I do not want to do that.

2

It is a built in function of asp.net to prevent malicious scripts using XSS. It stops you from posting any html to a page. To remove the validation and allow any html through, you can add this to the page directive:

ValidateRequest=“false”

But you then need to do your own filtering as much as possible. So as not to allow <script> tags, etc.

3

Hey NightStalker,

I know I can put the ValidateRequest=“false” code at the top of the page and it will work, but I do not want to do that if at all possible. I was hoping to be able to convert the text in the text box to html then no matter what the user puts in the field it will not blow up the page or have any ill effects such as xss.

4

You need to submit plain text to the aspx page. Then with C# convert to html. As the ValidateRequests stops the request as soon as it detects in malicious code in the get or post. So you would need to remove all traces of html from the text via js before it gets submitted if you want it to pass the validation

5

Not quite–I seem to recall you can handle the page’s ValidateRequest event and then pass stuff on, no JS required. Forgot the exact voodoo, but googling for that execption should help a bit.

6

Is that right? That is very good 2 know. I will try and remember that next time I need to do something like that.

7

Would Markdown (or Markdown.NET) be useful in this situation?