Results 1 to 2 of 2

Thread: A potentially dangerous Request.Form value was detected from the client

  1. #1

    Thread Starter
    Wall Poster TysonLPrice's Avatar
    Join Date
    Sep 2002
    Location
    Columbus, Ohio
    Posts
    3,834

    A potentially dangerous Request.Form value was detected from the client

    I'm just starting to scratch the surface of web programming and was given an assignment here at work. The issue is when a user cuts and pastes a web address into a text box the program generates an error. The text of the message, when executed online, really just pointed out there was no error handling. Running the application in development caught the issue:

    Description: ASP.NET has detected data in the request that is potentially dangerous because it might include HTML markup or script. The data might represent an attempt to compromise the security of your application, such as a cross-site scripting attack. If this type of input is appropriate in your application, you can include code in a web page to explicitly allow it. For more information, see http://go.microsoft.com/fwlink/?LinkID=212874.

    Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (txtStudyQuestion="...or Android<https://aka.ms/ghei...").
    I looked into it and see there is what appears to be a way to allow this without errors by setting "<pages validateRequest="false" /> ". However right under that solution is a warning:

    Note: But always avoid the last example because there is a huge security issue. The request validation feature in ASP.NET provides a certain level of default protection against cross-site scripting (XSS) attacks.
    However, we recommend that you analyze any request validation errors to determine whether existing handlers, modules, or other custom code accesses potentially unsafe HTTP inputs that could be XSS attack vectors.
    I'm not really sure what that is saying but I'm thinking it is similar to a SQL injection attack. There are coding techniques to avoid SQL injection attacks. So my questions are:

    1. Should I just not allow that kind of thing to be pasted in? I would just trap the error in validation.
    2. Are there techniques to "scrub" the data so the user can paste in what they want?

    Here is a sample of the text being pasted in:

    “Get Outlook for Android<https://aka.ms/ghei36>”

    Here is where I've been reading about it:

    https://www.codeproject.com/Tips/297...-value-was-det


    Edit:

    This site summed it up for me:

    https://msdn.microsoft.com/en-us/lib...v=vs.110).aspx

    I'm going to leave the post open for a while though in case any members have additional feedback.
    Last edited by TysonLPrice; Jun 16th, 2017 at 05:55 AM. Reason: Found additional information
    Please remember next time...elections matter!

  2. #2
    PowerPoster PlausiblyDamp's Avatar
    Join Date
    Dec 2016
    Location
    Pontypool, Wales
    Posts
    2,458

    Re: A potentially dangerous Request.Form value was detected from the client

    The only person who can answer the question of should you allow these characters to be used is you (or your company) if the data being entered requires them then you will need to allow them.

    If these characters are in your data then you need to make sure that whenever you display them to a user you have correctly encoded them, how you do this depends on how you are generating the HTML.

    If this is an MVC project then Razor does this automatically, if it is a web forms project then you would wrap anything you are evaluating inside of <: you code here :> tags. The various controls in a webform project should also properly encode the data but it has been a long time since I have used Web Forms so I could be wrong.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width