locked
A potentially dangerous Request.Form value was detected from the client RRS feed

  • Question

  • User-1496281956 posted

    Hi me again!

    I am using Ckeditor to update content in a text area however since it has <p> tags and such they are treated as threats by asp.net how can I stop this behaviour? The only person who will edit this website will be me and that means login in. 

    I tried this:

    <configuration>
      <configuration>
        <system.web>
          <pages validateRequest="false" />
        </system.web>
    </configuration>

    but it never worked.

    Tuesday, July 10, 2012 7:21 PM

Answers

  • User-1205307838 posted

    When you request the value of the control use:

    Request.Unvalidated("name_here");

     

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, July 10, 2012 8:12 PM
  • User-1205307838 posted
    No, in your code you have UDPATE, should be update
    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, July 11, 2012 9:28 AM

All replies

  • User1309052532 posted

    Id advice you not to set validateRequest = "false"

    It leaves your application open to injection attacks.

    encode your content before posting by using

    HttpUtility.HtmlEncode(mystring)
    ' mystring is the content you want encoded 

    Tuesday, July 10, 2012 8:12 PM
  • User-1205307838 posted

    When you request the value of the control use:

    Request.Unvalidated("name_here");

     

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, July 10, 2012 8:12 PM
  • User-1496281956 posted

    I did what Tom said however for some reason if gives this error now:

     [ Token line number = 1,Token line offset = 8,Token in error = Pages ]


    points to this:

    var SQLUPDATE = "UDPATE Pages set pName=@0, pTitle=@1, pKeywords=@2, pDescription=@3, pBody=@4, pSiteMap=@5 pCategory=@6, pLastEdited=@7 WHERE id=@8";


    Yep you solve one thing to realize another has just broken great! 


    Wednesday, July 11, 2012 8:10 AM
  • User-1205307838 posted
    Try update...:-)
    Wednesday, July 11, 2012 8:48 AM
  • User-1496281956 posted

    Still gives me the same error;

    string format = " dd/MMM/yyyy - hh:mm:ss tt "; 
    var pName = data.pName;
    var pTitle = data.pTitle;
    var pKeywords = data.pKeywords;
    var pDescription = data.pDescription;
    var pBody = data.pBody;
    var pCategory = data.pCategory;
    var pSiteMap = data.pSiteMap;
    var pLastEdited = data.pLastEdited;
    
    //Gets input control names
    if (IsPost){
    
    pName = Request["pName"];
    pTitle = Request["pTitle"];
    pKeywords = Request["pKeywords"];
    pDescription = Request["pDescription"];
    pBody = Request.Unvalidated("pBody");
    pSiteMap = Request["pSiteMap"];
    pCategory = Request["pCategory"];
    pLastEdited = DateTime.Now.ToString(format);
    
    
    
    //Update the database
    var SQLUPDATE = "UDPATE Pages set pName=@0, pTitle=@1, pKeywords=@2, pDescription=@3, pBody=@4, pSiteMap=@5  pCategory=@6, pLastEdited=@7 WHERE id=@8 ";
    
    try{
    
     db.Execute(SQLUPDATE,pName, pTitle, pKeywords, pDescription, pBody,pSiteMap,pCategory,pLastEdited, id);
     msg="Data Saved!";
    }
    catch (Exception ex){
     msg = ex.Message.ToString();
    }
    
    
    
    }

    I can insert things in to the data base via the create page, but I can't edit them cause of that error. 

    Wednesday, July 11, 2012 8:51 AM
  • User-1205307838 posted
    No, in your code you have UDPATE, should be update
    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, July 11, 2012 9:28 AM
  • User-1496281956 posted

    Thanks, it's very weird why it did not work because in my other application I got UPDATE in uppercase so weird..

    Wednesday, July 11, 2012 9:43 AM
  • User-1205307838 posted
    Uppercase is not a problem. In your code you had uDPate
    Wednesday, July 11, 2012 10:54 AM
  • User964056028 posted

    If this doesnt work for you try this solution

    <system.web>
    <httpRuntime requestValidationMode="2.0" />

    Thanks to

    http://www.devcurry.com/2010/09/potentially-dangerous-requestform-value.html#.UgO9x21yWMU

    Thursday, August 8, 2013 11:59 AM