1

I would like to know what rules are used to determine what is a potentially dangerous form value so that I can write client side validation to prevent it hitting the server. Ideally I would like to know how the framework determines what is a potentially dangerous combination of characters, so I could use the same rules in my custom validator to prevent them ever hitting the server.

bluntstone
  • 41
  • 2
  • 1
    Not exactly a rule but using *Prepared Statements* usually reduces the chance of having a client submit a set of *special* characters that could potentially jeopardize your database. – npinti Jun 26 '12 at 07:26
  • not just your database, not sure how – bluntstone Jun 26 '12 at 07:36
  • You could process the text you are being submitted and remove any special characters. – npinti Jun 26 '12 at 07:38
  • @bluntstone, ` – Furqan Hameedi Jun 26 '12 at 07:41
  • yeah i know that's what i was saying allowing script tags has nothing to with the db – bluntstone Jun 26 '12 at 07:45
  • exactly @npinti but what are those special characters, what does the framework use to determine what they are – bluntstone Jun 26 '12 at 07:46
  • I was essentially looking for this: [enter link description here][1] [1]: http://stackoverflow.com/questions/8744002/asp-net-potentially-dangerous-request-javascript-regex – bluntstone Jun 27 '12 at 01:10

1 Answers1

2

Reasons:

  1. This error is generally arised when a valid html is entered in text input. i.e. with opening and closing html tags <****>.

  2. It is also caused due to entering html entites like &nbsp; &amp; &lt; &gt; &quot; etc.

  3. In simple words You can say that if text-input contains some symbols like ">, &, <, ="; etc, it will be recognized as dangerous value.

For resolving You can use:

<system.web>
    <httpRuntime requestValidationMode="2.0" />
</system.web>

in your web.config to validate such inputs.

OR

You can htmlencode the input using:

String clean_value = Server.HtmlEncode(TextBox1.Text);

Following Articles may help you:

How To Catch HttpRequestValidationException

http://www.cryer.co.uk/brian/mswinswdev/ms_vbnet_server_error_potentially_dangerous.htm

A potentially dangerous Request.Form value was detected from the client

Hope this helps.

Community
  • 1
  • 1
AlphaMale
  • 24,318
  • 4
  • 59
  • 79
  • I actually don't want to do that, I know I can switch off the validation or switch it on I am more concerned about what is considered a potentially dangerous form value. I know the obvious ones like – bluntstone Jun 26 '12 at 07:33
  • @bluntstone Html entities mainly cause this error. See the updated answer. – AlphaMale Jun 26 '12 at 07:45