asp.net sanitizing user input - asp.net

Does asp.net have a built in mechanism that can sanitize all textbox input instead of redirecting to the error page?
I have a textbox input where a user can enter a name, but if they try to enter and <> tags the page automatically throws an error. I just want to handle this error in a user friendly way.

You'll want to look at the AntiXSS library for that. It's a dll so it's easy to drop in and start using it.
The download is at CodePlex.

You can use the ASP.NET RegularExpressionValidator control with a pattern like: ^[^<>]*$
<asp:RegularExpressionValidator ID="rev" runat="server"
ControlToValidate="txtBox"
ErrorMessage="The <> tags are not allowed!"
ValidationExpression="[^<>]*" />
<asp:RequiredFieldValidator ID="rfv" runat="server" ControlToValidate="txtBox"
ErrorMessage="Value can't be empty" />
The RequiredFieldValidator is used in conjunction with the RegularExpressionValidator to prevent blank entries. If that textbox is optional, and only needs to be validated when something is entered, then you don't have to use the RequiredFieldValidator.
The benefit of doing it this way is that the error can be handled gracefully and the user can be notified on the same page.
However, if you need to do this for many textboxes and you just want to present something nicer than the error page, you could handle the ValidateRequest error to provide a friendlier message and keep the user on the same page (not just replace it with a custom error page). For more info, check out Kirk Evans' post: Handling ValidateRequest errors within a Page (refer to the section titled Overriding the OnError Method).

Read this for a step-by-step: http://yourtahir.wordpress.com/2008/03/28/aspnet-not-allow-html-in-text-boxserver-error-in-application-a-potentialy-dangerous-requestform-value-was-detected/
You have to do some web.config work.

ASP.net has validation controls
[http://msdn.microsoft.com/en-us/library/7kh55542.aspx][1]
Also there is Mark Down Editor which is a control that strips out html tags etc.

Related

ValidationSummary not working with Login control

I'm following this walkthrough from Microsoft:
"Walkthrough: Creating a Web Site with Membership and User Login"
http://msdn.microsoft.com/en-us/library/879kf95c(v=vs.100).aspx
My Login control works and authenticates me successfully. It also shows the little validation *'s if I type the password wrong, so it seems like it is validating. However, the ValidationSummary that is associated with this Login control never displays any of the logon errors.
My code is like this. I set the ValidationGroup just like it said in the Walkthrough:
<asp:ValidationSummary ID="ValidationSummary1" runat="server" ValidationGroup="Login1" />
<asp:Login ID="Login1" runat="server"></asp:Login>
Can anyone let me know what I'm missing?
Thanks!
Sandra
The ValidationGroup for the child controls will be set to the UniqueID of the Login control. Since you're using a master page, this will not be the same as the ID. Instead, it will be something like ctl00$Login1.
The simplest workaround is to set the ValidationGroup from the code-behind:
ValidationSummary1.ValidationGroup = Login1.UniqueID;
Alternatively, you can customize the LayoutTemplate and manually specify the ValidationGroup on the child validator controls.

ASP ChangePassword control changepasswordfailuretext does not show

I'm using the ASP ChangePassword control. When a user fails to enter their current password correctly I just get a control refresh with all fields cleared, not the changepasswordfailuretext. Googled this and found that you should use ChangePasswordError method to catch this. I put a breakpoint in this method and did not get stop here when the current password was incorrect.
How do I show my users that they have entered their current password incorrectly?
Just ran into this myself and found an answer. If you are customizing the display using ChangePasswordTemplate and SuccessTemplate, you also need to add a control with the id "FailureText". This control gets populated with your configured message in the event of an error:
<asp:Literal ID="FailureText" runat="server" />
http://msdn.microsoft.com/en-us/library/system.web.ui.webcontrols.changepassword.changepasswordtemplate.aspx

Server side validation

I am having an issue with the requiredfieldvalidator control not working on an ASP.net page. I have completed the attributes of that field properly, but when I test it, the postback is allowed to happen even if the field in question is blank.
So I want to do server side validation instead. What is the best way to do that? In the event that caused the postback? Also, if I find out the field is blank, how do I get the user back to the screen with all other values they placed on other fields intact and a message saying "This field cannot be blank".
EDIT:
This is the code:
<asp:TextBox ID="fName" TabIndex="1" runat="server" Width="221px" CausesValidation="True"></asp:TextBox>
<asp:RequiredFieldValidator ID="FNameRequiredFieldValidator" runat="server" ControlToValidate="fName" InitialValue="" ErrorMessage="Filter Name cannot be blank." ToolTip="Filter Name cannot be blank.">*</asp:RequiredFieldValidator>
You need to provide the markup for your Button / Link control as well.
The 'CausesValidation' attribute is not supposed to be used on TextBox controls.
The button you click needs to have that attribute set to "True".
Please provide that markup and then I can advise on the alternate server side validation.
To enable Client-side Validation, set the EnableClientScript="true" on the RequiredFieldValidator.
You should also always validate on the server side too. But the RequiredFieldValidator doesn't let you do any special-handling server-side. Just check if Page.IsValid(). This will return false if the field is not supplied.
If you want to do custom validation, use a CustomValidator.

how to check a particular asp.net validation control is valid?

In a web form there are different asp.net validation controls. Is it possible to check a particular validation control is valid ? For example on leaving focus of textbox, first I will check requiredFieldValidatorUserName is valid ? If it is valid then I will check on server using ajax that this user name is not booked already.
Edit:
Explaination: I want to check validity (that input was valid) of a validation control on client side.
Please guide.
All validator controls implement IValidator which contains the IsValid property.
myValidatorControl.IsValid
The best way would be to use a CustomValidator with client side code, as this will display all the error messages, block form submission and also ensure that the validation is repeated at the server side - remember, just because you have client-side validation available, doesn't mean the user's seen it: Always validate your input at the server as well.
Your CustomValidator would then be coded to call the Ajax methods, and would show the error messages correctly to the client:
<asp:Label ID="UserNameLabel" AssociatedControlID="UserName" runat="server">
UserName *:</asp:Label>
<asp:TextBox ID="UserName" runat="server" />
<asp:RequiredFieldValidator ID="UserNameRequired" runat="server"
ControlToValidate="UserName" EnableClientScript="true"
ErrorMessage="You must supply a username!" />
<asp:CustomValidator ID="UserNameCustom" runat="server"
ControlToValidate="UserName"
ClientValidationFunction="CheckExisting"
OnServerValidate="UserNameCustomValidate"
ErrorMessage="Username already taken" />
And your ClientValidationFunction should look something like:
<script type="text/javascript">
function CheckExisting(source, arguments) {
// Pass the arguments.Value to your AJAX call:
if (ajaxCallUserNameTaken(arguments.Value)) {
arguments.IsValid = false;
}
}
</script>
(Obviously, you'll need to write the ajaxCallUserNameTaken method to call your page method/web service/etc.)
Doing it this way will ensure that the validation methods happen as expected; this will get called whenever the user tabs out of the textbox leaving a value (it won't get called if the textbox is empty), and will ensure that the user can't submit the page until they supply a unique value. You'll also want to create the method referenced in OnServerValidate to ensure that the value's good once it hits the server too - this should call the same code that the AJAX endpoint uses to reduce duplication of code, etc.
I was originally going to suggest that you could use the Page_Validators object on the client-side to do some checking in the onBlur event, but I don't really think this is suitable here as it results in more pain:
It assumes that although there might be more than one validator on the page, there's only the RequiredFieldValidator on the control we're checking
The RequiredFieldValidator isn't fired during OnBlur if a user moves out of a control without setting a value - only if they set and clear the value, so even if isvalid is true, you need to check for an empty string!
You could do this by setting the ValidationGroup for the Validator control that you want to treat as separate from the others. Make sure it matches the ValidationGroup of the control it's validating (your username field).
I have just faced the same issue and I Set CausesValidation="true" to the textbox control and it worked. Just give it a try :)
I have been messing around with this around for a bit and found a rather easy (not so efficient) solution to handle this using jQuery.
Use this function to check the validity of your control:
function validateControl() {
return $('#YOUR_VALIDATOR_ID').css("visibility") == "visible"
if you're using Display="Dynamic" on your validator then the function is like so:
function validateControl() {
return return $('#YOUR_VALIDATOR_ID').css("display") == "inline"
Be sure to check the true ID of your validator if you're using a Masterpage, as it will be different than the one in your IDE. Do so by viewing the page source in your browser.
The best solution will be of course to validate your form in some other way, using JavaScript or a CustomValidator that lets you write your own code.

Use HtmlEncode in Details View TemplateItem Control

I have details view control in my asp.net web form, which on of its item template gets it is value from database, and show this into a richtextbox :
<FTB:FreeTextBox id="txtDescription" runat="Server" AllowHtmlMode="false" Text='<%# (Eval("Description") )%>'
>
</FTB:FreeTextBox>
but when i click on insert or update button, i get the following error :
A potentially dangerous Request.Form value was detected from the client ....
i tried this :
Text='<%# HttpUtility.HtmlDecode((string)Eval("Description"))%>'
bu it did not work ethier, and i got the error again.
is there any way except turning validateRequest off.
Would you please help me?
No, there isn't a way to get this to work aside from turning Validate Request off. Which isn't a bad thing if you write your database functionality correctly and implement strict custom form validation.

Resources