locked
HTML code in textbox RRS feed

  • Question

  • User-1156691840 posted

    I have certain fields in the form that are obligatory and should be filled. For that I have the required fileds validator which validates the data that is being entered in the text box. Normally if the user leaves the textbox empty and clicks the save button the validator displays the message. But if the user is smart enough he could simply type    in the textbox which will save the form and when the saved values will be displayed in a control like label the value will be empty.

    So whats the best way to avoid these kind of problems in ASP.NET 2 so that user cannot fill the html code in the textboxes.

    Any suggestion would be of great help.

    Regards,

    Khurram 

    Wednesday, January 17, 2007 8:02 AM

Answers

  • User-384517966 posted

    Hello,

    before you save the data in the database, or before you display it, you can HtmlEncode the value. This will turn the & into & Just like   is the htmlencoded value for a space character, & is the htmlencoded value for a & character (called an ampersand). This way the result will be   which when displayed in a label will result in the text   That is the exact thing the user entered!

    Also, ASP.NET already checks for html-tags, try to enter <html> in an textbox and submit the form. You will get this error:

    A potentially dangerous Request.Form value was detected from the client (TextBox1="<html>").

    Good luck!
     

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, January 17, 2007 2:19 PM

All replies

  • User-384517966 posted

    Hello,

    before you save the data in the database, or before you display it, you can HtmlEncode the value. This will turn the & into &amp; Just like &nbsp; is the htmlencoded value for a space character, &amp; is the htmlencoded value for a & character (called an ampersand). This way the result will be &amp;nbsp; which when displayed in a label will result in the text &nbsp; That is the exact thing the user entered!

    Also, ASP.NET already checks for html-tags, try to enter <html> in an textbox and submit the form. You will get this error:

    A potentially dangerous Request.Form value was detected from the client (TextBox1="<html>").

    Good luck!
     

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, January 17, 2007 2:19 PM
  • User-1156691840 posted

    Ye exactly I got it sorted out. This post provided the necessary details.

    http://www.asp.net/faq/requestvalidation.aspx

    Thanks, 

    Khurram

    Thursday, January 18, 2007 5:56 AM