Putting HTML into text control

We are creating an asp.net site to replace an old classic asp site. The users apparently added some html tags to the large text fields in the SQL Server database and when I try to edit them on a ListView I am getting an error message ‘A potentially dangerous
Request.Form value was detected from the client …’ and need to get around this somehow. When I looked at the database it has text like <ol><li>text</li></ol> in it. I hate to do a mass UPDATE as I am afraid it may not display correctly on the old classic
asp site. Any ideas? Thanks.

Hi,

Set 

<httpRuntime requestValidationMode="2.0" />

in your webconfig. if you are setting this option ensure that you take steps to protect against genuine attacks.

Please refer the below link which dicuss a similar scenario and how to overcome it

How to Solve Potentially Dangerous Request Issue

Use HtmlEncode() on the value so they will display literally. I think that will work. 

How is that done on a ListView item? I currently have a TextBox with Text=’<%# Bind("FaqResponse") %>’

Use <%# Server.HTMLEncode(Bind("FaqResponse") %>. It will display the HTML encoded string in your text box.

I tried that and it displayed it ok but I am concerned that the user will understand what all of the &lt; or &gt; are and will be an issue. My thought was to do an SQL REPLACE() or something and use some alternate text. The good thing about the <li></li> thing
is that it gave them an automatic numbered list. They use this text field for instructions, etc. and I would like to allow them to have numbered paragraphs when the display the text in a Label control (which it does now) and also in a TextBox control when
they edit or insert rows.

First thing I would like to mention is that you should be (if you are not already) aware of the XSS (cross site scripting) risks involved. So if you don’t already know gather some basic information. Secondly microsoft do have an antiXSS library that you
should use. Download the library from the following link:

http://www.microsoft.com/en-in/download/details.aspx?id=28589

This library will give you many options to cleans your data so that request validation won’t fail.

I am really worried about allowing this in the new application. I don’t want more libraries, etc. and don’t have time to learn. I think I am just going to do an SQL REPLACE() on these nvarchar columns and let asp.net fail when someone tries to inject html characters…unless
you have a fool-proof method. Thanks.

That would be the best choice if you do not want to add anti XSS library. Request validation is there to protect you from XSS, and you need other libraries only when you decide to allow seemingly malicious data to enter into your system (by turning off request
validation).

Leave a Reply