I'm trying to work on a 'practice' app wherein the textbox value will be inserted to the database.
What happen is that when I insert the textbox.text value.
Ex. text =
<script>alert('Hello')</script>
I get an error: A potentially dangerous Request.Form value was detected from the client (TextBox1="alert('XSS')...").
I'm already using sql parameters so values like ' " /// \\ are not a problem as of now.
Set ValidateRequest="false" for your page, for allowing html.
At page level:
<%@ Page Language="c#" ValidateRequest="false" AutoEventWireup="false" CodeBehind="TestPage.aspx.cs" Inherits="TestPage" %>
Also, for ASP.NET 4.0, you need to add the following to your web.config:
<httpRuntime requestValidationMode="2.0" />
ValidateRequest="false" for page will make security aspects of that page weaker, I would recommend HTML editor controls instead.
If is only for testing purposes you may disallow ASP.NET validator so it will stop looking for HTML/XML tags that could be potentially dangerous. To do that, set ValidateRequest to false in your aspx page.
<%@ Page Title="" Language="C#" ValidateRequest="false"
This is not recommended for production environments but in your case can do the trick. More info in the following MSDN Link
It's not a (potential) sql problem that asp.net is warning about. When you accept that value and later show it in your page without encoding, then that unwanted script will fire.
At this moment it will show a harmless alert, but if you allow any user to type in these values then who knows what will happen.
You can just insert the tag broken in a concatenate string. like in:
Insert into table values('<'+'h2'+'>'+'Another One'+'<'+'/'+'h2'+'>')
