Web Forms :: HttpRequestValidationException In .NET 4?
Nov 29, 2010
Like many others, my web site now throws the following exception under .NET 4.0 where it used to behave perfectly well under .NET 2.0:
A potentially dangerous Request.Form value was detected from the client.I have added the following element to my web.config file:
<httpRuntime requestValidationMode="2.0" />
However, the error still appears. It is caused by the log-in and log-out buttons on my site, which are contained in a master-page. I think the reason might be because I make extensive use of hidden fields in my web pages, which the ASP.NET validation now complains about when the pages are posted back to the server after the buttons are pressed:
A potentially dangerous Request.Form value was detected from the client (ctl00$ctl00$mainContent_PH$mainContent_lCol_PH$hdnPageContent="...ssociation's Executive Com...").
(ctl00$ctl00$mainContent_PH$mainContent_lCol_PH$hdnPageContent is a hidden field containing large amounts of HTML.) The merits of this design are probably debatable; however, what I need now is a way of letting these buttons work whilst retaining some validation for the rest of the site (as I have always had up until now).
this exception is caused by entering scripts or disallowed text as "<script>", "<h1>" by the user. This exception will be thrown while processing the request.
After searching and trying, most of the solutions were to:
1- disable request validation in the page header (validateRequest="false") or in the pages section in web.config.
I dont see this is a solution, the XSS problem is still there, it just does not throw the exception.
2- To encode the text and decode it using Server.HtmlEncode and Server.HtmlDecode.
This is a good one, but have to go every single textbox and call this method (Server.Encode(txtAddress.Text)), but this require alot of effort to change the whole site, and some of them may be forgotten.
I was thinking of creating a new TextBox control (MyTextBox) to inherit from System.Web.UI.WebControls.TextBox and override the Text property, then Encode base.Text in the get accessor, and Decode base.Text in the set accessor.
This will also require to change the whole site, to use MyTextBox instead of TextBox.
I have this piece of code to handle the HttpRequestValidationException in my global.asax.cs file.protected void Application_Error(object sender, EventArgs e)
Is there a way I can handle HttpRequestValidationException without turning off ValidateInput?
What I really want is all HTML posted from a form to be automatically encoded in the model unless a particular property has the AllowHtml attribute set.
If I have to turn off ValidateInput, then what happens to the rest of my model validation? Will it still be validated or do I need to explicitally check ModelState.IsValid?
I'm also catching the exception in a custom model binder class but every time I try to access the offending property from Request.Form, the exception gets thrown. Is there a way to get that value in the model binder?
I think I might have stumbled onto a bug in ASP.NET MVC 3 RC. When I setup my MVC2 project in a new MVC3 project, copy paste classes, code, change name spaces, etc, etc, I ran into an issue in the following, simplified for explanation purpose, scenario:
Model:
public class WineDetails { [SkipRequestValidation] [Required(ErrorMessage = "Beschrijving verplicht")] public string Description { get; set; } }
ViewModel:
public class ViewModelCreateWine { public MasterData MasterData { get; set; } public WineDetails WineDetails { get; set; } }
ActionMethod:
[AcceptVerbs(HttpVerbs.Post)] public ActionResult CreateWine(ViewModelCreateWine viewModelCreateWine) { GetMasterDataRegions(viewModelCreateWine); if (Request.Params.ToString().IndexOf("Save") > 0) { if (TryValidateModel(viewModelCreateWine.WineDetails)) { m_wineService.CreateWine(viewModelCreateWine.WineDetails); return RedirectToAction("index", "Admin"); } } return View(viewModelCreateWine); }
The ActionMethod "CreateWine" needs to call the "CreateWine" method in the WineService so that in the end a new Wine is added to the Database. So far it looks ok. As shown in the above code the [SkipRequestValidation] is set on the "Description" property of the WineDetails model so that the user can add Rich Text to the description and HTML elements are allowed during the Request validation. This works perfectly fine until the Params collection of the Request is accessed in the code to check if the Save button is clicked. When this line of code is trying to execute the following exception is thrown:
Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (ViewModelCreateWine.WineDetails.Description="<p>HTML Content with...").
The same exception is thrown when I put the [ValidateInput(false)] attribute on the action method. When I comment out the "if" statement and its content there is no issue and the model validation works just fine and skips the Request Validation on the Description property as expected.
In MVC2 the above code worked fine with the [ValidateInput(false)] attribute on the action method.As I said I'm not sure if this is a bug, it very well might be my own stupidity, but I thought it would be worth to mention here. So any feedback is more than welcome.
In the load event of a web user control I have the following code which I am using to call a function in order to populate a HTML Text Area.The page hosting the control loads fine the first time it loads but on postback it throws the error
Quote:System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client I have seen people suggest <%@ Page ... validateRequest="false" %>
Firstly I would like to handle this at control level rather than on the hosting page .
Code: if (!Page.ClientScript.IsStartupScriptRegistered("AddText")) { Page.ClientScript.RegisterStartupScript [code]....
URL....I use this one as my login, and I addes hyperlink for Forgot Password. But why I can't access the FORGOT PASSWORD.aspx for every time I click it. And when I login it redirects t Forgot Password.How I can access it without logging in?
In our application we are using forms authentication, we have given defaulturl also in the config file. But the problem is that it is not getting redirected to the default url when the session timeout is occuring.
I have been presented with numerous word and excel docs. The goal is to put them online and bind to a database for the fields and also to store data for easy searching and reporting.
Has anyone done anything like this before?
I know the easy solution would be to create a database table for each particula form and also an ASP.net page for each form.
But then there are problems like printing and correct formating so it fits on the page, spaning multiple pages and so on.
And also is there any advice on how to write to PDF straight from the page?
I have a treeview named Treeview1 with checkboxes. I want the child checkboxes to be checked if parent is checked.
I am trying to use a simple code that I found on msdn :
[Code]....
For some reasons I got this error and I really dont understand why:
Type 'System.Windows.Forms.TreeViewEventArgs' is not defined.
warning BC40056: Namespace or type specified in the Imports 'System.Windows.Forms' doesn't contain any public member or cannot be found. Make sure the namespace or the type is defined and contains at least one public member. Make sure the imported element name doesn't use any aliases.
Really getting better with VS, but I've mostly been displaying data. I'm on a new project and now and I have a lot of data entry forms to create. I created a form to enter data into an access db and got it working. I thought it would be cool to add an edit button that fired a gridview to load on the same page, under my original forms, so that that they could load up the data and edit or delete mistakes. But when I try to update the gridview, it also tries to post the original forms (text boxes), which fail because there is no data in them, and I get an error.
What is the proper way to handle this in asp.net? I'm sure this is kind of a common issue. I've done some searching, but the search terms, like forms and gridview, are kind of generic and I'm not coming up with anything useful. I just need a more experienced person to point me in the right direction and I'll get it figured out.
My images show up find in design time, and if I have logged in and go back to the page, they show, but upon initial login,they aren't visible. What do I need to do?
In windows forms, there is the "show data sources" under the "data" menu item, and I love it because I can drag and drop the fields I need onto the form and it makes the control automatically.In web forms however, this option isn't there. Why? I try to drag and drop fields from the "server explorer" but it generates grids, I don't want grids I just want to drag and drop the text boxes or checkboxes etc.
Form1 is for the administrator. It has 5 fields. Field1 has a value for which the other values give details about it. This 5 fields are stored in a table. Form2 is for a user and its a data entry form. This forms has 12 fields. Each label in the form2 corresponds to the value of Field1 in form1. If suppose the admin fields 10 times the form1. The 10 labels of form2 are filled with values of field each time. The above is what I want to achieve. Also the two text box corresponding to the remaining two labels should be disabled for user.
I create a windows forms control library project, And build it. then i want it's dll to my web project, for this i used object tag which can display it on page. I made reference of dll to my project.did the following coding.
Below is the error whil i am developing the windows forms. it is coming while login in to the forms. Request For The Permission Of Type 'System.Data.SqlClient.SqlClientPermission, System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.
I'm building a web page that is going to make extensive use of User Controls. Using "LoadControl" it will have one of about 20 different User Controls loaded at any one time. Each User Control is somewhat different, gathering different sorts of data.
I've already built the mechanism to load the User Control and pass strongly typed data to it. But now I'm tackling the part of returning the user data to the Parent Form. I can think of several possible approaches to take but wanted to reach out to the community to learn what the best practice for doing this is.
I am using the ASPNET_Captcha control for my login page. It works fine. However when i implement the forms authentication, the catcha image does not appear.
Do i need the location section in the web.config file? If yes can you share the details for the same.
what are the ways of handling multiple web forms data for saving into database after last form or editing data and saving back to database after last form is submitted.Previously I have used wizard & panels in a single form and also has cached data from multiple form to save when last form is submitted. Are there some better way to handle multiple web forms data for saving and editing ?
I am trying to bind data to a textbox in a web form as I do in win forms using dataset and binding manager.I also want to navigate through data by providing next and previous button. I am not able to achieve it. Could you please help me by providing an example? I don't want to use gridview or listview or any other. I only want to use textboxes.