by

Problem is that when this gets posted to server, it will not work, doesn’t matter what you try. This is the ASP.NET XSS protection, which can be disabled like so:

<%@ Page ... ValidateRequest="false" %>

Trouble is, you’ll have to be very careful validating all the postback yourself. Easier way is to escape all the contents of textbox using javascript just before posting. You can escape it using same HTML escaping, then unescape in server side code.

Update:
Example of escaping. This will flash the changed text on screen before postback – ideal solution is to use a hidden field for this, i.e. assign value to a hidden field, instead of that same field. This is the simplest version:

<script>
  function EscapeField(){
    document.getElementById("your client control ID").value = 
       escape(document.getElementById("your client control ID").value);
  }
</script>

And in code-behind:

this.ClientScript.RegisterOnSubmitStatement(this.GetType(), 
    "EscapeField", "EscapeField();")

Update:
Again, warning – if you save HTML in your database like this, and then just display it to the client, you are directly vulnerable to XSS attacks. There are worms out there that will find and exploit your web site. Make sure you cleanse the HTML you are getting.

More Related Contents:

  1. A potentially dangerous Request.Form value was detected from the client
  2. How to encode the plus (+) symbol in a URL
  3. What is the difference between AntiXss.HtmlEncode and HttpUtility.HtmlEncode?
  4. How does Html.Raw MVC helper work?
  5. I just discovered why all ASP.Net websites are slow, and I am trying to work out what to do about it
  6. Content-Disposition:What are the differences between “inline” and “attachment”?
  7. Session timeout in ASP.NET
  8. Generating an Excel file in ASP.NET [closed]
  9. Self Tracking Entities vs POCO Entities
  10. Best way to trim strings after data entry. Should I create a custom model binder?
  12. System.Security.SecurityException when writing to Event Log
  13. Enable ASP.NET ASMX web service for HTTP POST / GET requests
  14. What perfmon counters are useful for identifying ASP.NET bottlenecks?
  15. Visual Studio error “Object reference not set to an instance of an object” after install of ASP.NET and Web Tools 2015
  16. Setting up redirect in web.config file
  17. How to run ‘dotnet dev-certs https –trust’?
  18. How to remove returnurl from url?
  19. How can I JSON encode an array in VB.NET?
  20. asp.net c# redirecting from http to https
  21. Jqgrid 3.7 does not show rows in internet explorer
  22. What is the purpose of the Assemblies node in Web.Config?
  23. Programmatically register HttpModules at runtime
  24. How to combine using Membership API with own application related data?
  25. Deploying ASP.NET MVC4 App to GoDaddy Compiler issue
  26. How do I fix a “Request format is unrecognized for URL…” error in a web service running in IIS?
  27. SQL Reporting Services – Print Button not shown in Mozilla
  28. Disable the postback on an
  29. Button click not working inside update panel
  30. How do I install and use the ASP.NET AJAX Control Toolkit in my .NET 3.5 web applications?

Leave a Comment