3

I use asp.net / visual studio2013 / c# to create a web application.

I have an input textfield. When I type <div> (or any nonsensical html-like tags such as <abc>) and do a postback, the postback never occurs and I get a javascript error message:

Sys.WebForms.PageRequestManagerServerErrorException:
A potentially dangerous Request.Form value was detected from the client 
(ctl00$ctl00$MainSection$DescriptionTextBox="<div>").

This error is generated by a big javascript file that automatically gets inserted in my page when I build the application. (in other words, I have no control over this javascript)

This is great for preventing hackers to inject any code in my code, but what really bothers me is that no postback actually occurs, and no error messages or anything are shown.

Imagine a random user trying to type <for my best friend> in the textbox. From the user's perspective, the website is broken because nothing happens.

My question is, how can I inform the user what the problem is (namely, you cannot type that text) when the problem arises?

Improve this question
1
  • You can include your own custom javascript which inspects the form for these characters fields before they form is submitted. Commented Feb 3, 2014 at 14:38

5 Answers 5

Reset to default
2

Sure it does for security reasons.

Here is an explanation and work-around:

Rick Strahl's blog

I would not recommend swtiching it completely off on the whole site, it is there because it is a major security feature you really want to keep.

It's far better to use javascript client-side just before the submit and revert it back-to-normal when the page is loaded.

Just as an example, TinyMCE has an onSubmit() event method for this purpose:

You can hook into it and have a one-liner replacing < and > with their HTML-friendly counterparts &lt; and &gt;.

For other controls there should be equal mechanisms.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Not sure the work-around is going to work for Web Forms.
OP said he is using default textbox control.
Yes, but this is a problem that all ASP.NET forms have. He should not bother about it or, if there is reason to assume that users will use tags, replace it with a RichText control.
What bothers me is that I would need to check the inputtext or clean/sanitize it for every single input on the website. The system already checks whether it's potentially dangerous for me, I would just like some way to catch the result, and act accordingly.
2

When you are sure you HTML-encode everywhere you pass strings to HTML, then set validateRequest="false".

In .NET 4 you may need to do a little more. Sometimes it's necessary to also add httpRuntime requestValidationMode="2.0" to web.config

Reference

If you are using MVC, Then use [AllowHtml] on the model property.

Improve this answer

Comments

1

I wrote a NuGet package a while back that disables request validation wholesale for a web site. Sounds like your scenario might be a candidate for this.

Request validation is (in hindsight) an ill-planned feature where we tried to hold the developer's hand and protect his site against XSS attacks automatically. Unfortunately it doesn't actually work that well, but since people depend on it we can't simply turn the feature off in the product by default. :(

If you do install this package, please check to make sure that you're validating / sanitizing all input and properly encoding all output.

Improve this answer

1 Comment

I'm a big fan of validation. I use several requiredfield and regex expression validators . I was hoping there was a solution without disabling ALL validation and encode/sanitize everything. Thanks anyway for your perspective.
0

Please follow the below steps,

1.Disable the request validation at any place based on your need after reading here

2.Then add this static method, which could detect for HTML tags in the request.

         internal static class CrossSiteScriptingValidation
         {
          private static char[] startingChars = new char[2]
          {
           '<',
           '&'
          };

           static CrossSiteScriptingValidation()
         {
         }

             private static bool IsAtoZ(char c)
           {
            if ((int) c >= 97 && (int) c <= 122)
            return true;
            if ((int) c >= 65)
            return (int) c <= 90;
           else
           return false;
          }

              internal static bool IsDangerousString(string s, out int matchIndex)
             {
             matchIndex = 0;
             int startIndex = 0;
            while (true)
             {
               int index = s.IndexOfAny(CrossSiteScriptingValidation.startingChars, startIndex);
               if (index >= 0 && index != s.Length - 1)
              {
               matchIndex = index;
             switch (s[index])
              {
                case '&':
               if ((int) s[index + 1] != 35)
                break;
               else
               goto label_7;
                case '<':
                  if (CrossSiteScriptingValidation.IsAtoZ(s[index + 1]) || (int) s[index + 1] == 33 || ((int) s[index + 1] == 47 || (int) s[index + 1] == 63))
             goto label_5;
          else
            break;
             }
               startIndex = index + 1;
            }
             else
             break;
          }
            return false;
          label_5:
           return true;
            label_7:
             return true;
            }
            }

3.Call the above method in your codebehind to validate the form value manually like this,

          int invalidTagIndex =0;
          CrossSiteScriptingValidation.IsDangerousString( value, out invalidTagIndex);

and based on the validation redirect to error page or follow any way to indicate the user about the error. This step is required because simply turning off the requestvalidation could create XSS threat to your site.

Improve this answer

4 Comments

What bothers me is that I would need to check the inputtext or clean/sanitize it for every single input on the website. The web application has many pages with many possible input fields. How can i prevent the code from being all over the place? The system already checks whether it's potentially dangerous for me, I would just like some way to catch the result, and act accordingly.
@user1884155 Are you using ajax to postback the form or it's a synchronous form submission? Based on that I could give some suggestions.
It's a synchronous postback to the server
Thanks for the update. If i'm correct, I would have to add this is a custom validator to every input field on my website? So I turn off asp.net's automatic XSS detection, and change it by this detection which I CAN react too. Thanks
0

My thought on this is a little different. Use javascript to parse the data before it is sent to the server and on the server side convert it back to normal. Doing it this way allows you to keep the build in security.

JavaScript: encodeURI("<test>")

Equals: "%3Ctest%3E"

Either store that in your database or convert it back using .net Server.UrlDecode(text)

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.