[2005] adding a textbox with HTML code in it

[r0k3t]

Hi there,

I have placed a textbox on my page that generates an href when the page is loaded - so the user can copy and paste the link.

The problem I have that when I go to update the page I get an exception.

Code:

A potentially dangerous Request.Form value was detected from the client (ctl00$Main$PropertyListingRepeater$ctl00$HttpLinkTextBox="<a href='http://www....").

I don't want to turn off validation, but I am not worried about this textbox as I don't do anything with the value of it, it is just there to make it easy for the user to copy and paste the link...

I am a little stumped - any suggestions?

Thanks!

[gep13]

Hey,

This problem is due to the fact that ASP.NET is trying to protect you from potentially dangerous attacks on your website. It knows that you have a textbox, and that there is potentially dangerous script in there. If you are not doing anything with the content of that textbox, the way around this would be to do what is suggested in the error message.

However, if you do this, it is highly recommened that you make sure you HtmlEncode everything that comes from that page (having said that, you should be doing that for any input that comes from the user.

The other way would be to output the href to a Label or something similar, that way the user can still copy and paste it, but it won't cause you any problems.

Try something like this:

Code:

Label1.Text = Server.HtmlEncode("<a href='www.test.com'>test</a>");

Hope that helps!!

Gary

[mendhak]

This is one of those areas in ASP.NET in which you often end up purposely disabling a security feature for application functionality. In addition to what gep said it's also good practice to run some regex against the HTML entered and to strip it of any <script> tags or to tell the user to play nice.

[r0k3t]

Hi there,

Thanks for the responses - I am trying to find a way to NOT disable the security feature as there are many textboxes on this form they I do process. It just happens that this particular one is not processed, it is just there to show the user a link...

What does anyone think about sticking a little java script that clears out this text box on submit? Cause like I said - It doesn't get processed so I don't care what is in there.

Ideally I would like to be able to disable validation for this ONE single control and not the whole page...

Thanks for your suggestions!

[gep13]

Hey,

Did you consider the suggestion of not outputting the text to a textbox, but rather a label?

That way they can still copy and paste it, but it won't cause you the problem that you are seeing.

Gary

[Pradeep1210]

I had asked a similar question in the near past. But could not get any satisfactory answer.
http://www.vbforums.com/showthread.php?t=553943

So the best I think you can do is to use javascript to strip off those offending characters or convert to their html equivalents on page submit.
i.e.
< = &lt;
> = &gt;

etc.