In my apsx page, I have a textbox that allows user input html tags. But it will get following validation error, "A potentially dangerous Request.Form value was detected from the client ...". I tried several ways to prevent it, none of them works except setting ValidateRequest to false. Now I am thinking is there any way I can disable server side validation for this textbox. I know in MVC there is couple of ways. But I am not using MVC. My page is just regular aspx, is there any way to do that?
I tried to set CausesValidation to False for my TextBox, didn't work, still getting the error.
Have a look here: http://msdn.microsoft.com/en-us/library/bt244wbb.aspx
You can disable on a per control basis.
Related
I'm populating a DropDownList using JS on the client and validating with a RequiredFieldValidator.
This works fine on the client but the Page.IsValid consistently comes back false on the server.
Is this because the selected value wasn't in the DropDownList when it was first served to the page?
What's the easiest way around this? (I need to leave server validation turned on)
Is this because the selected value
wasn't in the DropDownList when it was
first served to the page?
Yes. You'll probably notice that your dropdownlist will contain no items when you do your postback, and yes, this is because you're adding your items on the client side. Any items that you add to a control on the client are totally unknown to the server. Therefore, your server validation will always fail, since that field is required.
In fact, adding items dynamically with client script will trigger EventValidation to complain that there is a possible security problem, and you'll have had to set EnableEventValidation to false in your <%# Page %> directive to be able to post.
The best way around this is to either
Generate your items on the server side, or
Not use a server control for this (use a regular non-asp.net select list) and manually validate it on the server by looking at the posted values.
All ASP.Net client validation messages can be shown as an alert by setting the ShowMessageBox="True" property on the ValidationSummary control.
This works fine for anything that happens on the client.
For the custom validators that validate server-side I had assumed that what would happen is that when the page is returned to the browser, ASP.Net would inject some javascript to show the alert box. However this isnt the case.
If you had relied on the message box to show detail and just have a * next to the erroneous field (as per my clients req's) then it wont work as intended.
Does anyone have a solution for doing this? What I want is a way to possibly override the ValidationSummary control to inject javascript onto the page or something like this.
Thanks in advance.
You may use Page.RegisterStartupScript to show alerts after server-side validation.
I am getting the error: "Invalid postback or callback argument. Event validation is enabled using in configuration or in a page. For security purposes, this feature verifies that arguments to postback or callback events originate from the server control that originally rendered them. If the data is valid and expected, use the ClientScriptManager.RegisterForEventValidation method in order to register the postback or callback data for validation." Event validation is enabled using in configuration or in a page. I am not modifying the data in controls through javascript. The error happens very infrequently and I am only aware of it due to some automatic e-mailing I have setup when exceptions are thrown. What is the best way for me to go about finding the cause of the exception? Is it possible that on occasions some text entered into a text box is causing this error and I need to be doing an Html Encode? When would I do the encode?
If the problem happens very infrequently it usually means that some user has posted a page to quickly or have a very poor connection, that does not allow all the hidden ASP.net callback javascript mechanism being in place.
I've often encountered this issue when a user submits a form with a potentially dangerous character in the field ('<', '>', etc.). If your page needs to allow these characters to be submitted in a form, you need to set the page-level property 'ValidateRequest' to false.
Ex.
<%# Page Language="C#" AutoEventWireup="true" CodeBehind="MyClass.cs" Inherits="MyClass" ValidateRequest="false" %>
If you want to block these types of submissions (which is usually advisable), you'll probably need to add client-side scripting to prevent entry of invalid characters to the form. If the user can't enter the invalid values, then the form can post successfully. If you try to do the validation only on the server-side, it won't be run because the .NET ValidateRequest happens first.
I've had this error before, it turned out someone had changed the "action" attribute of the form runat="server" tag to a different url (which doesn't work unless using cross page postbacks).
-edit: in this case ofcourse it doesn't happen infrequently, so it's probably not going to help you to the right solution
I am getting this error in my asp.net page:
A potentially dangerous Request.Form value was detected from the client (ctl00$DefaultContent$UCSimpleSearch$txtFind="$%^&#%^&##%#").
I get this error when I type $%^&#%^&##%# in a textbox of this page and hit submit.
How do I overcome this error?
Is it recommended to set validateRequest=false in the Page directive to get rid of this?
Setting ValidateRequest to false is one way to work around this error. What you have to decide is whether or not any of these characters are valid input characters for your form. If they are then you need to turn this off and ensure that you handle all user input correctly.
I can't seem to find a list of the dangerous characters, so if anyone knows one it would be of value to have a link to it.
Some good information can be found here.
As a general rule you should always be html encoding any data you place on your site so turning this off should not cause any harm. However if you are not sure if you are, it is best to leave it on and not allow this data in your form.
putting validateRequest=false in the page directive should only be done if you're sure you're going to validate it yourself and you want to have anything anyone can think of to be posted to your server.
if that string you typed in is valid input you will need to disable request validation.
Is it recommended to set validateRequest=false in the Page directive to get rid of this?
If you can handle the validation of the textbox input explicitly, why not?
It means that you can't post values containing HTML tags to the server, It was added very earlier versions of .net framework for security reasons
If you have to enable users posting html tags you can add validateRequest="false" to the page directive
I would like to remove these hidden fields in my ASP.NET pages. Alternatively change the names or make sure the server code ignores them.
(I know I will loose some functionality, but I think it is better to handle it than removing 'runat=server'. The only thing I am worried about is Updatepanel, which i really need)
(The above is complete, further background is here )
As far as I'm aware, you can't get rid of the ViewState altogether - i.e. you can't get rid of that hidden input field called __VIEWSTATE.
Controls can still access the ControlState when the ViewState is disabled. The ControlState is actually stored within the ViewState, so it winds up in the __VIEWSTATE hidden field.
Thus turning off the ViewState for the whole page will only make this hidden field smaller - it won't get rid of it altogether.
I believe .NET puts a small amount of its own secret information in there too, so if you really hack it and override how the page renders to get rid of this hidden field altogether, you'll probably find that your site stops working.
You may also remove "form" tag from aspx, but then server controls postback won't work.
I used this in Ajax loaded popup.aspx and shows OK.
You have not mentioned what exactly it is about ViewState that is bothering you and why you want to ignore the field, so it is difficult to provide a better solution without understanding the context of the problem.
You can disable ViewState at the page level by setting the EnableViewState attribute of the Page directive to false.
<%# Page enableViewState="false" %>
Alternatively, you can turn off ViewState for Server controls by setting the respective control's EnableViewState property to false.