FreeTextBox

A potentially dangerous Request.Form value was detected from the client (ctl00_contentPlaceHolder1_FreeTextBox1="<P>Test</P>").

Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.


hi i placed a FreeTextBox Component within a content placeholder in ASP.NET beta 2.0 as I am using master pages. i am getting this error message when i postback. can anyone offer me some advice please.

thanks.

try using: ValidateRequest="false" in the page-directive.

I added this on my page directive ValidateRequest="false" which solved the problem but now all my asp:requiredvalidators are blowing up :-(

Any idea?

We can't be the only people having this problem?  -- I don't think we are, given the number of people that have viewed this thread. :)

I read on the asp.net forums that setting ValidateRequest='false' exposes your site to cross-site scripting attacks.  Is there not a secure solution?  I believe using something like Server.HTMLEncode would solve the problem, but is there a solution for those of us who don't have access to the source code?

As you are correct about setting the validaterequest="false" exposes your site to cross-site scripting. If you anyway would like to make it possible for your users to make html-tags the HttpUtility.HtmlEncode is the correct statement to use. That statement is reducing the risk of XSS (or at the best eliminates it) for the output of the HTML.

Eirik

where should we use this server.HtmlEncode etc ...pls suggest an alternate to the validate request ="false"

This Article is really good, it helped me solving the problem, hope it will help someone else ^^

http://www.asp.net/learn/whitepapers/request-validation/

Nonchelantly instructing people to disable request validation seems like a bit of a hack to a fairly valid issue. Isn't there some way to html encode FTB contents on the clientside with javascript before posting back?

You should never be blasé about disabling request validation.
In this case you are allowing user entered content and you as the developer have to ensure that you handle the threat this opens to your application.

If you read the article Rosell so helpfully posted, it explains this issue and the solution.

If you're taking html input in a postback, all textboxes will be validated for scripting injection attacks by asp.net, to get around this as people have said, turn validation off and use HttpUtility.HtmlEncode or Server.HtmlEncode on the contents of the FreeTextBox control before you persist the content to the database or output it.

Think about it, the kinds of people who will abuse this scripting weakness are the same ones who would be able to bypass a client side work around so you really don't want to be relying on client validation here.

Anyway, if you know the risks there are a few areas you can play with.

You can register a javascript to run on your form submit that will replace the contents of your editor with a cleaned version. I'm not going to write a script for you but something along the lines of
var cleanedInput = document.getElementById(myeditorsgeneratedname).value.replace("<", "&lt;").replace(">", "&gt;")
My javascript skills are pretty weak but that's one avenue to pursue. [You'd have to set the control Id at runtime when you have the Id]. (Textbox controls get rendered as <input type=text> which have a value property that contains the text)

If you put the editor in an iframe, the contents of the iframe won't be validated on postback of the form it's embedded in. Which if you're outputting any html content to a textbox is worth noting.

Hope this helps in some way.