0

I have an issue regarding some interaction between Javascript and ASP.net control.

In javascript I get the innerHTML of a content editable like this :

var text = document.getElementById('corps').innerHTML;
document.getElementById('corpsToServer').value = text;
document.getElementById('callingServer').click();

This call an action on a click event for an ASP.NET updatePanel that call the serveur side of my application :

    <form id="Form1" runat="server">
    <asp:ScriptManager ID="ScriptManager1" runat="server" EnablePartialRendering="true" />
    <div>
        <asp:UpdatePanel ID="UpdatePanel1" runat="server" ChildrenAsTriggers="false" UpdateMode="Conditional">
            <ContentTemplate>
                <asp:Panel runat="server">
                    <br />
                    <asp:TextBox CssClass="serveurNeeded" runat="server" ID="corpsToServer" ClientIDMode="Static" ></asp:TextBox>
                    <br />
                    <asp:TextBox CssClass="serveurNeeded" ID="recup" runat="server" ClientIDMode="Static">
                    </asp:TextBox>
                </asp:Panel>
            </ContentTemplate>
            <Triggers>
                <asp:AsyncPostBackTrigger ControlID="callingProlexis" EventName="Click" />
            </Triggers>
        </asp:UpdatePanel>
    </div>
    <asp:Button CssClass="serveurNeeded" ID="callingProlexis" runat="server" OnClick="tryReturn"
        ClientIDMode="Static" Text="callhim" />
    </form>

Then the call is like this :

<script language="C#" type="text/C#" runat="server">
        public void tryReturn(object sender, EventArgs e)
        {
            prolexisIMPL proxy = new prolexisIMPL();
            string getCorpsText = corpsToServer.Text;
            string retourTest = proxy.tryThis(getCorpsText);
            recup.Text = retourTest;
            UpdatePanel1.Update();
            ScriptManager.RegisterClientScriptBlock(this, GetType(), "mykey", "afterServerReturn();", true);
        }
</script>

I have figure that it is the passing of innerHTML that make me get an error 500 from the server. Some post told that it is a validation issue to prevent injection from user side, but configuring the :

ValidateRequest="false"

is a bad idea and does not work.

How can I manage to send my innerHTML to the server side without this error showing up ? Something Like him pretending it's just a string and the tag are just part on the string, not html or javascript injection.

Configuration are ASP.NET MVC 4.0 without code behind, Vanilla Javascript, IE5.

EDIT : the error :

Sys.Webforms.PageRequestManagerServerErrorException: An unknown error occurred while processing the request on the server. The status code returned from the server was : 500
Improve this question
7
  • 1
    IE5? LOOL!!! Sorry - had to get that out of my system. Can you post the details of the 500 error? Commented Dec 22, 2015 at 10:10
  • @Archer yeah I know, don't tell me about it... Commented Dec 22, 2015 at 10:22
  • @Archer I had the error in the post Commented Dec 22, 2015 at 10:28
  • Sorry - my bad. I missed it at the bottom. I think I can't see 500 errors unless they have a yellow background :p Commented Dec 22, 2015 at 10:30
  • @Archer my bad i just add it and forgot to put it in a code part. I'll change that so you can see it know :p Commented Dec 22, 2015 at 10:32

2 Answers 2

Reset to default
1

You have several solutions :

Encode HTML client side

The cleanest one is to encode your html before sending it to the server. You can do it easy with jQuery, but in javascript you will have to create you own encoding method. You can see an example here : http://www.yuki-onna.co.uk/html/encode.html

Disable Validation

You can disable the server validation, either placing the ValidateRequest="false" in your page header or placing it in the web.config file (very dangerous, because it will be applied on all your website).

This solution is not secure if you store the HTML data for display it in another page, because some users of your application will be able to send dangerous content that will be displayed in the browser of other users.

Improve this answer
Sign up to request clarification or add additional context in comments.

10 Comments

i don't get the part [AllowHtml] in the model property, sorry I'm a noob regarding ASP.NET. I already tried the ValidateRequest="false" but it did not work (our application is on intranet and no user know a single thing in Javascript so they will be no injection of content)
A question regarding the encoding of HTML, is it possible to encode it with Javascript and decode it with C# ? are they using the same encoding ?
Sorry, the [AllowHtml] solution is for ASP.NET MVC (I update my answer consequently). Where did you placed the ValidateRequest="false" code ?
I placed it in the header of my page (this page is an IFrame so maybe I need to place it in the parent of thise Iframe)
If the form is placed in the iframe, this should not be necessary.
|
-1

use encoder.js for encoding html to safe scripts and then send to asp.net. You have to ValidateRequest="false" along with that. You can get examples here.

Improve this answer

1 Comment

I can't use a third party lib and ValidateRequest="false" is a pretty bad idea.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.