odd behavior of HtmlEncode

Question

User1355664578 posted

I'm using a web site to get data from a textbox and then submit it into a DB. 

That works fine until there's the '<' sign in the text of the textbox. Then I'm getting a server error (A potentially dangerous Request.Form value was detected from the client...) when reading the textbox.text.

I tried to solve the issue by using HtmlEncode like this:  "outText = Server.HtmlEncode(TextBox.Text)" but it isn't always working.

Input: "<xyz" --> error as before

Input: "< xyz" --> HtmlEncode works and outText is "&lt; xyz".

Now I can't force my users not to use the "<" character or to always leave a space afterwards. I also spent a lot of time looking at online examples and nowhere did I see such a limitation so I'm wondering what else could cause this odd behavior.

Answer 1

User475983607 posted

This is the expected behavior of ASP Web Forms.  The framework i trying to protect you from malicious code like script injection.  The error message explains how to turn this feature off.

https://www.aspsnippets.com/Articles/ASPNet-Error-A-potentially-dangerous-RequestForm-value-was-detected-from-the-client.aspx

Answer 2

User1355664578 posted

I know what is causing the error/warning and I don't want to disable the verification all together for exactly the reasons stated in your referenced article.

My problem is that HTMLEncode only seems to work for me when there is a space after the "<" sign. 

Here is an example code: https://docs.microsoft.com/en-us/dotnet/api/system.web.httpserverutility.htmlencode?view=netframework-4.6.1#System_Web_HttpServerUtility_HtmlEncode_System_String_ but if I'm using the example string "<script>unsafe</script>" then I'm still getting the error unless i'm changing the string to "< script>unsafe< /script>" with added spaces after the "<" characters. 

I don't believe that the code is wrong as it is very simple but something else seems off in my project.

Answer 3

User475983607 posted

I'm not sure what problem you are trying to solve.  By default the framework protest against script injection so the programmer does not have to worry about writing validation code on every text input.  If you trust the input content then set ValidateRequest=false.

but if I'm using the example string "<script>unsafe</script>" then I'm still getting the error unless i'm changing the string to "< script>unsafe< /script>" with added spaces after the "<" characters. 

Correct, a space added after the "<" as in "< script>" invalidates the script tag and and considered plain text by the browser. 

Answer 4

User-1716253493 posted

htmlencode should work, try compare the original/encoded output.

Seem, the problem is where you use it because you still get same error with encoded textboxt text.

It is mean that request form value is not encoded yet, or the problem is from another place.

Maybe you have two or more codes that still sending original text