2

My Column in the DB are: nvarchar(MAX)

I need to add HTML code into my Database: from CKEditor. I get the following Error.

A potentially dangerous Request.Form value was detected from the client (Description="<h1>Heding 1&nbsp;</...").

I am using the following Code:

var String=Request["String"];

I even used the following:

 var String= HttpUtility.HtmlEncode(Request["String"]);
String=Request["String"];

here is part of my code:

 if(IsPost){
    var Description =Request.Unvalidated["Description"];
    // Here I insert into Database

and The FORM part is:

<form action="" enctype="multipart/form-data" method="post">
<div class="row">
    <div class="two columns offset-by-two"><br/><label> Description: </label><br/></div>
    <div class="eight columns"><textarea name="Description"></textarea></div>

I want to store the text from "Description" to my database....

Dawood Awan
  • 7,051
  • 10
  • 56
  • 119

4 Answers4

2

You simply need to use Request.Unvalidated to reference inputs that contain HTML if you don't want ASP.NET Request validation kicking in within the ASP.NET Web Pages framework:

var text = Request.Unvalidated["myTextBox"];

Or:

var text = Request.Unvalidated("myTextBox");
Mike Brind
  • 28,238
  • 6
  • 56
  • 88
  • Will this leave it Vulnerable to SQL injection? – Dawood Awan Jan 01 '13 at 05:19
  • No, this has nothing to do with SQL injection which is protected against by using parameterised queries. And what does "didn't work" mean? Are you sure you referenced the correct input? Can you provide a small repro of your page? – Mike Brind Jan 01 '13 at 08:15
  • I just tested with your code (adding a submit button and closing the form) and it works fine for me. – Mike Brind Jan 02 '13 at 05:56
  • Did you add the CKEditor javascript to your file? – Dawood Awan Jan 02 '13 at 07:52
  • Which Library contains: Request.Unvalidated[] – Dawood Awan Jan 02 '13 at 17:44
  • It's here: http://aspnetwebstack.codeplex.com/SourceControl/changeset/view/5d4159c85ff6#src/System.Web.WebPages/Helpers/Validation.cs. Try it with round brackets: `var x = Request.Unvalidated("MyField");` It works either way for me. – Mike Brind Jan 02 '13 at 18:59
0

It looks like HtmlEncoding should do the trick.

Did you try the following:

var myColumnData = HttpUtility.HtmlEncode(Request["String"]);

Then pass this myColumnData, and all other columns to your Database table.

Edit: In addition to above, you may also want to look at the project settings, as it is recommended in the following blog - A potentially dangerous Request value was detected from the client.

Yusubov
  • 5,815
  • 9
  • 32
  • 69
0

This did the trick for me.

var text = Request.Unvalidated["myTextBox"];

Thank you.

flakomalo
  • 710
  • 5
  • 4
0

SAFETY RULES.....Before you push it to the database, i suggest you filter suspicious tags such as script tags.

var x = Request.Unvalidated("MyField");

if(x.Contains("<script>") || x.Contains("</script>")){
    //no script tag allowed.
}
Ifeanyi Chukwu
  • 3,187
  • 3
  • 28
  • 32