BeanSoftware Logo
  

 
ASP.NET Database Search Control
 
 

 
Products
    Database Search Solution
    (New Version) Search Control
    SEO Pager
    Highlighter
    Shortcut Controls
    Crypt Package
Free ASP.NET Controls
    Geotargeting Component
    ASP.NET Media Player Control
    Flash Video Player Control
Services
    ASP.NET Telecommute Jobs
    Free IP Location Lookup
    Test .Net Regular Expressions
    CSS/Table/DIV Page Layouts
    Custom Programming
    Article Sites Master List
Articles
    dev.beansoftware.com
    ASP.NET Tutorials
    ASP.NET FAQ
    T-SQL FAQ
    HTML/CSS FAQ
    .NET Windows Forms
    General .NET Framework
    Freelance Tutorials
    Web Domains
    Accepting Credit Cards
    Anti Spam
 Home
    Shop
    Advertise
    Write For Us
    Affiliate
    Newsletter
    Contact

How To Allow HTML Tags In TextBox Control?

Let say you have one TextBox control and one Button control on web form. On button click your application should take text from TextBox control and do something smart with it. It works fine, until you try to insert some HTML tag. For example, try to insert text "Hello
World", like on image bellow.

Text of TextBox Control contains some HTML tag
Image 1: Text of TextBox control contains HTML tag

If you click a button now your application will throw an exception, with output similar to this:

Server Error in '/TestWebSite' Application.

A potentially dangerous Request.Form value was detected from the client (txtAllowHTML="Hello <br /> World").
Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (txtAllowHTML="Hello <br /> World").

...

...

 

To avoid this problem and allow HTML tags in TextBox control you need to change ValidateRequest of Page directive to false. You can do it like in code bellow:

<%@ Page Language="VB" AutoEventWireup="false" CodeFile="Default.aspx.vb" ValidateRequest="false" Inherits="_Default" %>

 

After this change, your application will accept every input, including HTML tags.

Security issues when allowing HTML tags

Note that this ValidateRequest property is not existing without reason. When you change its default value, insecure input will be accepted. Because of that, you need to validate every user's input to avoid cross-site scripting attacks, like inserting of malicious JavaScript, ActiveX, Flash or HTML



Related articles:

1. Working With ObjectDataSource And GridView

FAQ toolbar: Submit FAQ  |  Tell A Friend  |  Add to favorites  |  Feedback



Copyright © 2002-2008 Bean Software. All rights reserved.