[RESOLVED] System.Web.HttpRequestValidationException A potentially dangerous Request.Form

[FishGuy]

Hi,

In the load event of a web user control I have the following code which I am using to call a function in order to populate a HTML Text Area.

The page hosting the control loads fine the first time it loads but on postback it throws the error

System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client

I have seen people suggest <%@ Page ... validateRequest="false" %>

Firstly I would like to handle this at control level rather than on the hosting page and secondly is it not somehow possible to just somehow encode the problem string so this error is never raised in the firstplace?

Code:

    if (!Page.ClientScript.IsStartupScriptRegistered("AddText"))
                {
                    Page.ClientScript.RegisterStartupScript
                        (this.GetType(), "AddText", "AddText('txtAreaOutline', '" + aOutline1.Overview + "');", true);
                }

[gep13]

Hello,

The problem here is that ASP.Net is trying to be a little bit too clever for it's own good. When it sees, what it thinks is potentially danger "code" being sent from the client, it throws this exception. This includes anything that looks like HTML, or JavaScript, etc. In order to get around this, the common technique, as you have mentioned, is to set the validateRequest to false. As soon as you do that though, you are leaving yourself open to attack. To prevent this from happening you need to make your that you Encode the string before sending it to the server, and store it in it's encoded form, and then, when you send it back down to the client.

This is typically done using the HtmlEncode and HtmlDecode helper methods.

Gary

[FishGuy]

That makes sense but im a little confused as to where I put the encoding?

The server code is as previous
and the javascript is as below.

Code:

 function AddText(elementid, txtval) {     var txtArea = document.getElementById ( elementid );     if ( txtArea )     {       txtArea.value = txtval;     }  }

As i understand it there is no javascript html encode method, but I cannot see in the server code which part I shouldencode.

I tried as below but got the same error.

Code:

 if (!Page.ClientScript.IsStartupScriptRegistered("AddText"))
                {
                    Page.ClientScript.RegisterStartupScript
                        (this.GetType(), "AddText", "AddText('txtAreaCourseOutline', '" + Server.HtmlEncode(DALCourseOutlines.myCourseOutlinesCollection.Item(0).courseOverview) + "');", true);
                }

A potentially dangerous Request.Form value was detected from the client (txtAreaCourseOutline="<p>Please note this ...").

[FishGuy]

Also tried.

Code:

 Page.ClientScript.RegisterStartupScript
                        (this.GetType(), "AddText", "AddText('txtAreaCourseOutline', '<&#37;: " + (DALCourseOutlines.myCourseOutlinesCollection.Item(0).courseOverview) + " %>');", true);

But then got this error

A potentially dangerous Request.Form value was detected from the client (txtAreaCourseOutline="<!--Please note this...").

And

Code:

    Page.ClientScript.RegisterStartupScript
                        (this.GetType(), "AddText", "AddText('txtAreaCourseOutline', '" + HttpUtility.HtmlEncode(DALCourseOutlines.myCourseOutlinesCollection.Item(0).courseOverview) + "');", true);

A potentially dangerous Request.Form value was detected from the client (txtAreaCourseOutline="<p>Please note this ...").

[motil]

For what is wrote the only time I implement javascript from the server side was at my beginning days as ASP.NET programmer since then I already created two large projects without the need to do that, so this is another one of ASP.NET features that I'm not using, I think javascript needs to come from the js file and not from the server side.

[FishGuy]

I tried this in the javascript file

Code:

 function AddText(elementid, txtval) {     var txtArea = document.getElementById ( elementid );     if ( txtArea )     {       txtArea.value = '<%: '+ txtval + ' %>';     }  }

but got the error

A potentially dangerous Request.Form value was detected from the client (txtAreaCourseOutline="<!--Please note this...").

[FishGuy]

The full code for the controls page load is as below.

I have also tried adding ValidateRequest="false" to the @Page directive of the page which hosts the control but unfortunately this also does not even fix the problem.

Code:

 protected void Page_Load(object sender, EventArgs e)
    {
        if (Page.IsPostBack == false)
        {

            if (Page.PreviousPage != null && Page.PreviousPage.IsCrossPagePostBack)
            {
                DAL_CourseOutlines DALCourseOutlines = new DAL_CourseOutlines();
                DALCourseOutlines.Fill_CourseOutlines();
               
                ContentPlaceHolder BodyContent = (ContentPlaceHolder)Page.PreviousPage.Master.FindControl("maincontent");
                ASP.usercontrols_courses_ascx test = (ASP.usercontrols_courses_ascx)BodyContent.FindControl("Courses1");
                courseCode = test.courseCode;
                this.lblCourseCode.Text = courseCode;
                
                this.GridView1.DataSource = DALCourseOutlines.myCourseOutlinesCollection;
                this.GridView1.DataBind();

                if (!Page.ClientScript.IsStartupScriptRegistered("AddText"))
                {
                    Page.ClientScript.RegisterStartupScript
                        (this.GetType(), "AddText", "AddText('txtAreaCourseOutline', '" + DALCourseOutlines.myCourseOutlinesCollection.Item(0).courseOverview + "');", true);
                }
               
            }

            else
            {
                this.lblCourseCode.Text = "Course Code Not Found";
            }
        }
    }

[FishGuy]

A little bit of progress.

When I add

Code:

 <httpRuntime requestValidationMode="2.0" />

into the web config, it no longer errors with ValidateRequest="false" in the containing pages header.

However I would rather set this up at control level rather than page but preferably, get the encoding working so I am not reliant on turning off validation.

[FishGuy]

I am going to resolve this as I have cleared the original error albeit not in the way that I had hoped.

[gep13]

Hey,

As far as I am aware, you would still have to turn the validation off. However, in doing so, you have to make sure you encode and decode the input and display, otherwise you leave yourself susceptible to inject of code.

Gary