Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have created a website in ASP.NET 3.5 that takes some input in text format and saves it in a SQL Server 2005 database.
The database field is varcahar(50).
But I can’t do it if data in text box contains special symbols like <,>,#,@,.
It generates a client script error showing security error.
For scripting I am using JavaScript.
As @John Nolan writes, this most likely is the result of ASP.NET’s built in request validation.
You have to turn off the built in validation and roll your own:
You can turn off the validation at page level:
or at application level (in web.config):
Don’t forget to encode all output from your application, expecially after turning off the request validation.
Check out this article on the subject.
In order to protect your application you have to follow common Web application security guidelines and among others encode all your output that was generated directly or indirectly by users to avoid Cross Site Scripting (XSS). Microsoft has provided an Anti XSS library to simplify this. OWASP has an XSS prevention cheat sheet.