.NET Discussion

.NET Issues, Problems, Code Samples, and Fixes

How To Allow HTML to be Submitted in Your Forms


Ever gotten an error when you click submit when you enter some HTML in your form?  Want users to be able to submit HTML tags?  Not only is it possible, it’s easy!  Somewhere in your page directive (i.e., where it says <%@ Page) on your .aspx page, simply include the attribute: validateRequest=”False”.

Yeah, that’s it.

WARNING: doing this means that the .NET engine will not check for possibly harmful code a user could enter via HTML or Javascript, so make sure you know what you’re getting into before you turn off this feature.

EDIT: Be sure to check the comments by Eric on this post on how you can do this more securely! Also, for a more complete explanation, check his post on XSS Attacks.

Advertisements

July 9, 2007 - Posted by | ASP.NET, Tips & Tricks

3 Comments »

  1. Cross site scripting attacks are the NUMBER ONE attack, and its because of lack of input validation (OWASP Top Ten Project).

    Fortunately, Microsoft has their Anti-XSS library, which HTML Encodes ALL input values, so if you want to allow HTML the safe way, you should use this if you have to turn input validation off – MS Anti-XSS Library

    Comment by Eric | July 20, 2007 | Reply

  2. Yeah, I read a bit about XSS the other day. Thanks for the link!

    When you install this, does it provide you with the DLL that you then have to add as a reference, recompile your app, and then re-upload your project DLL(s) plus this one? Or is it something else?

    Comment by Some.Net(Guy) | July 20, 2007 | Reply

  3. Yeah, youre pretty much on track. Add the dll as a reference, then import the class to your appropriate pages (ex. Imports Microsoft.Security.Application.AntiXss).

    Then, when grabbing your data from your web form, just use the HTMLEncode Method – Dim strInput As String = HtmlEncode(Me.inputText.text).

    Comment by Eric | July 20, 2007 | Reply


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: