1

I have an internal application (not accessible from outside our network) that has a multi-line textbox. Users (co-workers) have been known to copy/paste text from Outlook or MS Word into this textbox that includes an email address. When that happens they get this error:

A potentially dangerous Request.Form value was detected from the client (ctl00$ContentPlaceHolder1$txtIssueDesc="... Name < email@domain...").

We're using VB.NET v3.5 on MS Visual Studio 2008.

Is there a way to strip out what's between the < > before the error is tripped so it can be put into the database then edited later without any problems?

wazz
  • 4,953
  • 5
  • 20
  • 34
Alverant
  • 229
  • 2
  • 5
  • 13

2 Answers2

2

You can do a combination of these things:

  1. Look at this answer to suppress that error.

  2. Use a regular expression on the client side to strip the < and > and the content between. To do this you can add an onclick event to the submit button to run the regex replace before submitting to the server.

In either case, you will still want to run a regex on the server side to validate any input before saving to your database, and likewise HTML encode any output.

David Rogers
  • 2,601
  • 4
  • 39
  • 84
Fisch
  • 3,775
  • 1
  • 27
  • 38
  • I'd rather not suppress the error in case they actually DO enter dangerous code by mistake. I'm just looking to fix the most frequent cause of the error. I'm not sure how to write such a regular expression. – Alverant Oct 22 '13 at 20:23
  • do you want to just remove the tags, or also content between the tags? e.g. if the user entered html code, would only the tags be stripped, or do you want everything between the tags stripped out as well? – Fisch Oct 22 '13 at 20:57
0

It is not directly related to orignal question.

You might want to consider using ASP.Net Ajax FilteredTextBox.

It strips out invalid character as soon as user past anything to textbox. You can also set what characters are valid or what aren't.

For example, the following code do not let user to enter special characters except _.@.

<ajaxToolkit:FilteredTextBoxExtender 
   ID="UsernameFilteredTextBoxExtender" 
   runat="server" 
   TargetControlID="UsernameTextBox"
   FilterType="Numbers,UppercaseLetters,LowercaseLetters,Custom"  
   ValidChars="_.@" />
Win
  • 61,100
  • 13
  • 102
  • 181