When I try to post any thing that contains <whatever> I get
A potentially dangerous Request.Form
value was detected from the client
Description: Request Validation has
detected a potentially dangerous
client input value, and processing of
the request has been aborted. This
value may indicate an attempt to
compromise the security of your
application, such as a cross-site
scripting attack. To allow pages to
override application request
validation settings, set the
requestValidationMode attribute in the
httpRuntime configuration section to
requestValidationMode=”2.0″. Example:
. After
setting this value, you can then
disable request validation by setting
validateRequest=”false” in the Page
directive or in the
configuration section. However, it is
strongly recommended that your
application explicitly check all
inputs in this case. For more
information, see
http://go.microsoft.com/fwlink/?LinkId=153133.Exception Details:
System.Web.HttpRequestValidationException:
A potentially dangerous Request.Form
value was detected from the client
I have following asp.net code
<asp:DetailsView ID="newsDetail" runat="server" DataSourceID="SqlDataSourceNews"
AutoGenerateRows="False" DataKeyNames="id"
OnItemUpdating="NewsDetailItemUpdating" OnItemCreated="NewsDetailItemCreated"
OnItemDeleted="NewsDetailItemDeleted" OnItemInserted="NewsDetailItemInserted"
OnItemInserting="NewsDetailItemInserting" OnItemUpdated="NewsDetailItemUpdated"
DefaultMode="Insert">
<Fields>
<asp:TemplateField FooterText="show at statpage" HeaderText="view" SortExpression="view">
...
</asp:TemplateField>
<asp:BoundField DataField="headline" HeaderText="Headline" SortExpression="headline">
</asp:BoundField>
<asp:TemplateField HeaderText="Text">
<ItemTemplate>
<asp:Label ID="post" runat="Server" Text='<%# Eval("post") %>' OnPreRender="PostLabelPreRender" />
</ItemTemplate>
<InsertItemTemplate>
<asp:TextBox ID="postTextBox" runat="server" Text='<%# Bind("post") %>' TextMode="MultiLine"
Width="500px" Height="300px" />
</InsertItemTemplate>
<EditItemTemplate>
<asp:TextBox ID="postTextBox" runat="server" Text='<%# Bind("post") %>' TextMode="MultiLine"
Width="500px" Height="300px" />
</EditItemTemplate>
</asp:TemplateField>
And the code
protected void NewsDetailItemUpdating(object sender, DetailsViewUpdateEventArgs e)
{
// Iterate though the values entered by the user and HTML encode
// the values. This helps prevent malicious values from being
// stored in the data source.
for (int i = 0; i < e.NewValues.Count; i++)
if (e.NewValues[i] != null)
e.NewValues[i] = Server.HtmlEncode(e.NewValues[i].ToString());
}
protected void NewsDetailItemInserting(object sender, DetailsViewInsertEventArgs e)
{
for (int i = 0; i < e.Values.Count; i++)
if (e.Values[i] != null)
e.Values[i] = Server.HtmlEncode(e.Values[i].ToString());
}
protected void NewsDetailItemUpdated(object sender, DetailsViewUpdatedEventArgs e)
{
newsList.DataBind();
}
protected void NewsDetailItemInserted(object sender, DetailsViewInsertedEventArgs e)
{
newsList.DataBind();
}
protected void NewsDetailItemDeleted(object sender, DetailsViewDeletedEventArgs e)
{
newsList.DataBind();
}
protected void NewsDetailItemCreated(object sender, EventArgs e)
{
newsList.DataBind();
}
The problem you’re having is that in one of your text boxes you have put html tags or just the < > symbols and the .net framework tracks that as a potential dangerous script. This is to prevent people from putting malicious script tags in the input fields.
You can work around this by putting in your page directive
ValidateRequest="false"you will also have to put in your web.config<httpRuntime requestValidationMode="2.0" ... />