2

My Column in the DB are: nvarchar(MAX)

I need to add HTML code into my Database: from CKEditor. I get the following Error.

A potentially dangerous Request.Form value was detected from the client (Description="<h1>Heding 1&nbsp;</...").

I am using the following Code:

var String=Request["String"];

I even used the following:

 var String= HttpUtility.HtmlEncode(Request["String"]);
String=Request["String"];

here is part of my code:

 if(IsPost){
    var Description =Request.Unvalidated["Description"];
    // Here I insert into Database

and The FORM part is:

<form action="" enctype="multipart/form-data" method="post">
<div class="row">
    <div class="two columns offset-by-two"><br/><label> Description: </label><br/></div>
    <div class="eight columns"><textarea name="Description"></textarea></div>

I want to store the text from "Description" to my database....

Improve this question

4 Answers 4

Reset to default
2

You simply need to use Request.Unvalidated to reference inputs that contain HTML if you don't want ASP.NET Request validation kicking in within the ASP.NET Web Pages framework:

var text = Request.Unvalidated["myTextBox"];

Or:

var text = Request.Unvalidated("myTextBox");
Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Will this leave it Vulnerable to SQL injection?
No, this has nothing to do with SQL injection which is protected against by using parameterised queries. And what does "didn't work" mean? Are you sure you referenced the correct input? Can you provide a small repro of your page?
I just tested with your code (adding a submit button and closing the form) and it works fine for me.
Did you add the CKEditor javascript to your file?
Which Library contains: Request.Unvalidated[]
|
0

It looks like HtmlEncoding should do the trick.

Did you try the following:

var myColumnData = HttpUtility.HtmlEncode(Request["String"]);

Then pass this myColumnData, and all other columns to your Database table.

Edit: In addition to above, you may also want to look at the project settings, as it is recommended in the following blog - A potentially dangerous Request value was detected from the client.

Improve this answer

1 Comment

HtmlEncoding won't do the trick at all. You will get the same error.
0

This did the trick for me.

var text = Request.Unvalidated["myTextBox"];

Thank you.

Improve this answer

Comments

0

SAFETY RULES.....Before you push it to the database, i suggest you filter suspicious tags such as script tags.

var x = Request.Unvalidated("MyField");

if(x.Contains("<script>") || x.Contains("</script>")){
    //no script tag allowed.
}
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.