Home/ Questions/Q 493213
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T02:11:29+00:00

Here’s the scenario: I’ve got a regular hyperlink on my .ascx. (no I have

  • 0

Here’s the scenario:

I’ve got a regular hyperlink on my .ascx. (no I have decided NOT to use an asp.net control)
That hyperlink when clicked sends over the querystring an ID of an object to be deleted so in the code-behind of my page, I grab that and if it’s there call a RemoveSomeItem method which removes it and then does a Response.Redirect back to the Request.Path since we don’t know what .aspx page will be using this control. That all works fine.

But I need to also show a nice message at the top of that .aspx page after redirect “you have just deleted [item name]”

So what I did was in that response redirect, I added an additional querystring param called removedItemName which has for example even some HTML in the string:

&removedName=<sup>©</sup> Hockey Cup - Large

Problem ASP.NET detects this as a potentially unsafe string but of course this will never be so I tried to add this to the .aspx page directive:

ValidateRequest="false"

but it did not work. ASP.NET is still throwing the error:

A potentially dangerous Request.QueryString value was detected from the client (removedName=”© Hockey…”).

Second, does anyone pass Html like this in a querystring for completely harmful circumstances? Meaning is this common? And does it cause problems with passing strings with spaces via a querystring param or are spaces acceptable?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I’ll start by saying this is generally a bad idea. You don’t want to give direct control of what is rendered in the page over to the user. They could put anything in the querystring. You’re better off caching the message like so:

    Guid id = Guid.NewGuid();
HttpRuntime.Cache.Add(id, "<sup>foo</sup>");
Response.Redirect("page.aspx?message=" + id.ToString());

    And then retrieving the message (and if you want, removing it):

    string message = HttpRuntime.Cache[new Guid(Request.QueryString["message"])];
HttpRuntime.Cache.Remove(id);

    But if you must need to know how to put HTML in the querystring:

    Encode it:

    string value = HttpUtility.UrlEncode("<sup>foo</sup>");

    Yields:

    %3Csup%3Efoo%3C%2Fsup%3E

    And decode to get the reverse:

    string value = HttpUtility.UrlDecode("%3Csup%3Efoo%3C%2Fsup%3E");
    • 0