I have a very basic ASP.NET web site. It has a single page (TestPage.aspx) that I want to be able to launch using a POST request with some XML input. The basic HTML page that launches the request looks like this:
<html>
<head>
</head>
<body>
<form action="http://webserver/TestPage.aspx" name="Launch" method="post">
<input type="hidden" name="XMLmsg" value="<initialize>...</initialize>">
<input type="submit" value="Submit">
</form>
</body>
</html>
When the TestPage launches, however, I get the easily 'Google-able' "A potentially dangerous Request.Form value was detected from the client" error message.
It seems like the solution would be to put ValidateRequest="false" into my TestPage.aspx file, right? I thought so, too. And the internet told me the same thing. The only problem is...that didn't change anything. I still get the error.
I really need to be able to parse this XML. What can I do?
Well, I finally managed to get a solution to my problem, even if it's not perfect.
You can follow this link to a forum post where the whole process is tracked. The gist of it is that even added the necessary attributes didn't stop ASP.NET from validating requests from a standard HTML page, so I had to resort to writing a CGI app to accept the request and parse the inputs before sending back the necessary response.
For information on writing CGI for ASP.NET you can go here.
Is it optimal? No.
Is it clean? Not exactly.
Does it work? Yes.
Related
This question already has answers here:
Ajax without JavaScript
(11 answers)
Closed 3 years ago.
I have read an article that combining HTML and CSS results in a touring complete language. At my work place we are trying to avoid the use of Javascript for efficiency and client demands.
Where would I start in creating a network request using CSS and HTML only?
This should work when browser has javascript disabled
ABOUT Ajax:
Ajax (also AJAX) is short for asynchronous JavaScript and XML. No JavaScript, no Ajax.
JQuery, one lib of JavaScript, can easily achieve the goal of Ajax, but when JavaScript is disabled, its' Ajax can't work any more.
ABOUT CSS:
CSS is Cascading Style Sheets, pure CSS actually control the style of your webpage, like font size and font color, not about networking request.
So, maybe you key problem is how to make a request using HTML, the answer is using HTML tags like , for example:
<!DOCTYPE html>
<html>
<body>
<h2>HTML Forms</h2>
<form action="/action_page.php">
First name:<br>
<input type="text" name="firstname" value="Mickey">
<br>
Last name:<br>
<input type="text" name="lastname" value="Mouse">
<br><br>
<input type="submit" value="Submit">
</form>
<p>If you click the "Submit" button, the form-data will be sent to a page called "/action_page.php".</p>
</body>
</html>
Sample code from W3schools.
In this example, there is only HTML/CSS in the frontend. Note the action attribute in the form tag, it's the server side path of your request to submit. Once you click the button "submit", data in input box will be sent to the specified path in server side, in this example is "/action_page.php", and the click action makes the web page achieve a request without JavaScript.
Ajax, in a sense, is also one type of contact with server (in the way of Fetch or XMLHttpRequest) like pure HTML forms, the difference between Ajax and pure HTML form is that:
In Ajax way, make a small request, like update your web account logo, needn't
to refresh and download all the web page, but in pure HTML forms you
must. And this is the point of asynchronous in the asynchronous
JavaScript and XML, i.e. Ajax.
In my project I want to run 2 forms in one webpage which is master page one is for contact us and one is for signup user. but multiple server side forms are not allowed. is there any solution for fix it?
You can use postback ability of Asp.net Webforms.
You should create one button for singup and another one for contact. You can catch event in server side and you do what want to do.
You can create regular client side forms created using HTML in the master page, and use the Request.Form to read the posted data. For this to work, all the input elements must have a name, and you can read them using Request.Form["ElementName"].
Take into account that forms cannot be nested.
So, your master page needs to llok like this
...
<body>
<form id="form1" runat="server">
</form>
<form id="contact" action="Contact.aspx" method="post">
<input type="text" name="Message"/>
<input type="submit" value="Contact us!"/>
</form>
</body>
The first <form> is the regular ASP.NET server side form, which supports server side components
The second <form> is a custom HTML form. It doesn't have the runat="server" attribute, and it's outside the server side <form>.
The second form action points to a .aspx page. In its page load event you can use the Request.Form["Name"] to acces the name of the contact form. Note that you also need to include a submit button to send the data to the server, and a method="post" to specify the method to send the page.
This is resorting to "basic" HTML controls, so there is no View State, and the posted values will be lost if they're not reset in the server. I.e. if the form is posted, and there's an error, the previously posted values will be lost when rendering the page again.
If you want to make it more sophisticated you can use Javascript and, optionally AJAX. But that's a more complex solution. See this for an example.
ASP.NET Forms only supports one form. You could use an iFrame and render your second page (second form) inside of the iFrame.
Here is an interesting post about placing some page content after the tag. This may be helpful to you.
http://forums.asp.net/t/1611822.aspx?Dynamically+adding+content+to+page+outside+of+the+aspnet+form+from+within+a+UC
I have a classic asp application. I want to post a contest form from that page to an Asp.Net form. The reason is that I want to use a lot of logic i have built into an Asp.Net page for validation before entering into the database and I don't know asp very well. Not to mention asp.Net being more secure.
What's the best way to accomplish this goal? My thoughts are as follows:
My asp Page:
<html>
<body>
<form action="/Contests/entry.aspx" method="post">
Name: <input type="text" name="fname" size="20" />
Last Name: <input type="text" name="lname" size="20" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
aspx page is running in a Virtual Directory and would handle anything posted to it.
Is this possible, or does aspx prevent this kind of thing?
I ( preferably ) don't want to create the form in aspx as my colleague wants to have control of the page and build the html himself and I don't want the hassle of constantly changing it.
Are there caveats I need to consider?
What roadblocks will I run into?
How do I access the Posted Form Values? Request.Form?
Yes it is possible. In general, a POST is a POST. So you can post from a PHP page to a .NET page if you wanted. You would access the Request.Form variables just as you do now. You will have to look at the ASP Classic page to see the names of the post items but in general, you can access them as if you had pasted from .NET page.
This can be done and works fine. You will access the Posted Form values as you said via Request.Form.
I think the biggest caveat is that you will need to handle invalid data in some way - typically with a webform the .aspx page would be displayed again with validation errors, but that would likely be inappropriate for your circumstance. Probably you will need to redirect them back to the .asp page with query string parameters indicating the failures and the page will need code allowing it to fill in the form fields with their previous values and display the error message.
How about calling an ASP.NET webservice from classic asp?
https://web.archive.org/web/20210125161040/http://www.4guysfromrolla.com/webtech/070302-1.shtml
Can anyone explain what might be causing this error. Im thinking its the quotes.
Exception Details: System.Web.HttpRequestValidationException: A potentially
dangerousRequest.Form value was detected from the client
(ctl00$ContentPlaceHolder1$DetailsView1$txtContent="...l economy.<br /><br />The
Prop...").
The contents of a control (probably a textbox) contains what ASP.net considers to be markup, eg:
<br /><br />
You can add ValidateRequest="false" to the Page directive in your .aspx file as follows:
<%# Page ........ ValidateRequest="false" ........ %>
As other answers noted, asp.net is doing this to try and protect you from potentially malicious input so make sure you're aware of the risk and encode/decode user data appropriately.
I think you can take a look at this A potentially dangerous Request.Form value was detected
Its the html "<br/>" tags.
Here's an article with a brief explanation . Also shows you how to work around it by turning off validation. Though I guess that would be a bit dangerous to just turn it off.
It actually should be
<br /><br />
it complains about.
That would be the '<' and '>'.
EDIT: It's assumed that including html entries in form responses is intended as an attack on the server on which the form resides. So, by default, any code that resembles html (i.e. includes '<' or '>') is automatically flagged as a problem.
One way to resolve this is to turn off this type of validation by setting validateRequest="false" in the Page directive for that page, but there are other (and better) ways to work around that.
Here's some information from Microsoft about this issue.
My idea: allow this exception to be thrown. Use Application_Error handler to write code, that redirects (using Response.Redirect - this is important, since this gives users’ browser ability to go back) user to a custom error page. On this page write some text explaining that users had incorrectly input some text. Something like:
"Dear user, you have entered some invalid text, like “<” or “.”. Please, enter text using only characters and numbers".
Put a link on that page, and this link can contain a javascript "back" command:
href="javascript: history.go(-1)"
Users after clicking suchlink will be redirected by their browsers to the previous page, where they can re-edit their input.
I am building a german payment provider into my site.
But when I click on "Submit", nothing happens. Can someone please help me? I think I've looked at it too much and I can't see the forest for the trees anymore...
<form method="post" action="https://www.sofortueberweisung.de/payment/start">
<input name="currency_id" type="hidden" value="EUR" />
<input name="reason_1" type="hidden" value="Zambuu" />
<input name="user_id" type="hidden" value="29593" />
<input name="project_id" type="hidden" value="80145" />
<input type="submit" value="Absenden" />
</form>
Okay, so it's a little bit unclear what I want, it seems:
I have a lot of asp-sites allready, and now I must send, however, the information that is given by the hidden inputs by post-method to the site "sofortüberweisung.de/payment/start".
However I can solve it, it's not nessecary, there is no need for a form-tag, if there is another solution (e.g. with the code behind).
So: How can I send a lot of post information (these here is only an exmaple, in the real site there are a lot more) with code and redirect it to the right site?
If the code you have provided is within a standard ASP.NET form, so that you have nested form tags, try the solutions provided to this Stack Overflow question.
If it is possible to have this page be a simple html form, that is another possible solution.
Your button needs to have the runat="server" attribute set and it might be worth doing the same on your form atttribute.
Also remember in asp.net webforms you can only have one form tag.
I've had this issue a couple of times before where when creating an HTML form inside an ASP.NET form tag, the inner form just wouldn't post out.
One solution for me was to adjust the ASP.NET form tag wrapper for that page (moving the close above the HTML tag).
Another (where I needed ASP.NET controls obove and below the HTML form) was to add an iframe, passing the parameters for the form post to the iframe URL. Using JavaScript, the iframe then used those parameters to post the form to a new window/the parent window. Probably better ways, but it worked for me.