locked
embedded html in events RRS feed

  • Question

  • User-1603136709 posted

    Anyone have a problem entering embedded or inline html in the description of an event? I get an error coming back from the validation control(?). --Excuse me, I might get some terminology wrong being a newbie to .Net. The error says it found a potentially dangerous value. See full error text below. As you can see, I'm only trying to enter a break. I'm aware of the code someone else posted in another thread to process carriage returns, but I would also want to be able to embed other html tags. This was just a simple attempt. Thanks in advance!

     

    A potentially dangerous Request.Form value was detected from the client (ctl00$ContentPlaceHolder1$FormView1$descriptionTextBox="... course!
    <br>
    Brian Jonas   ...").

    Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the <PAGES>configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.

    Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (ctl00$ContentPlaceHolder1$FormView1$descriptionTextBox="... course!
    <br>
    Brian Jonas   ...").

    Source Error:

    The source code that generated this unhandled exception can only be shown when compiled in debug mode. To enable this, please follow one of the below steps, then request the URL:

    1. Add a "Debug=true" directive at the top of the file that generated the error. Example:

      <%@ Page Language="C#" Debug="true" %>

    or:

    2) Add the following section to the configuration file of your application:

    <configuration>
       <system.web>
           <compilation debug="true"/>
       </system.web>
    </configuration>

    Note that this second technique will cause all files within a given application to be compiled in debug mode. The first technique will cause only that particular file to be compiled in debug mode.

    Important: Running applications in debug mode does incur a memory/performance overhead. You should make sure that an application has debugging disabled before deploying into production scenario.

    Stack Trace:

    [HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (ctl00$ContentPlaceHolder1$FormView1$descriptionTextBox="... course!
    <br>
    Brian Jonas   ...").]
       System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName) +3213186
       System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName) +108
       System.Web.HttpRequest.get_Form() +119
       System.Web.HttpRequest.get_HasForm() +57
       System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull) +2022785
       System.Web.UI.Page.DeterminePostBackMode() +60
       System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +6953
       System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +154
       System.Web.UI.Page.ProcessRequest() +86
       System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) +18
       System.Web.UI.Page.ProcessRequest(HttpContext context) +49
       ASP.events_edit_aspx.ProcessRequest(HttpContext context) +29
       System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +154
       System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +64
    


    Version Information: Microsoft .NET Framework Version:2.0.50727.42; ASP.NET Version:2.0.50727.42 <!-- [HttpRequestValidationException]: A potentially dangerous Request.Form value was detected from the client (ctl00$ContentPlaceHolder1$FormView1$descriptionTextBox="... course! <br> Brian Jonas ..."). at System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName) at System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName) at System.Web.HttpRequest.get_Form() at System.Web.HttpRequest.get_HasForm() at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull) at System.Web.UI.Page.DeterminePostBackMode() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest() at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) at System.Web.UI.Page.ProcessRequest(HttpContext context) at ASP.events_edit_aspx.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) --><!-- This error page might contain sensitive information because ASP.NET is configured to show verbose error messages using <customErrors mode="Off"/>. Consider using <customErrors mode="On"/> or <customErrors mode="RemoteOnly"/> in production environments.-->

    Friday, June 23, 2006 9:50 AM

All replies

  • User541108374 posted

    Hi,

    ASP.NET tries to protect against special input by default that could harm the application by starting an XSS attack. In order to set this off, personally I only like to set it off on pages that only an admin can see, is to set the ValidateRequest attribute to false in the @Page directive. Also please take a look at this article: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaspp/html/securitybarriers.asp.

    Grz, Kris.

    Friday, June 23, 2006 11:39 AM
  • User-1603136709 posted
    Thanks so much. The article was very informative. Actually, it is an admin page, so I feel better about it as well. I'm restricting access to the event_edit.aspx page.
    Friday, June 23, 2006 1:41 PM