3

My ASP.NET page has an <asp:TextBox /> whose text input is encoded via HttpUtility.HtmlEncode();

The page also contains validators such as <asp:RequiredFieldValidator /> and <asp:CustomValidator /> as well as several AJAX toolkit <toolkit:ValidatorCalloutExtender />

If the user inputs </ as the text in the textbox, a Javascript error

A potentially dangerous Request.Form value was detected
from the client (ctl00$contentPlaceHolder$ucLookup$tbxLastName=&quot;&lt;/&quot;)

happens when the form is submitted. I have tried adding various event handlers such as

protected void Page_PreInit(object sender, EventArgs e){}
protected void Page_Init(object sender, EventArgs e){}
protected void Page_PreLoad(object sender, EventArgs e){}

and setting breakpoints but none of them are hit, leading me to believe the error only happens client-side.

How can I debug this error? Are there any hooks which allow me to intercept the user's input and filter or encode it before it causes this issue?

Improve this question
2
  • 1
    If its javascript error, then try using firebug in firefox browser to debug the javascript or if its in internet explorer, under settings -> advanced, uncheck the Disable javascript debugging option. You should hit the error in javascript where it throws. Commented Sep 14, 2010 at 17:08
  • Thanks. Using firebug, the error is: A potentially dangerous Request.Form value was detected from the client (ctl00$contentPlaceHolder$ucLookup$tbxLastName=&quot;&lt;/&quot;). Any ideas on how to intercept the input before it attempts to validate on the client-side? Specifically I'd rather not set validateRequest="false" on all my pages... Commented Sep 14, 2010 at 17:13

2 Answers 2

Reset to default
1

Try checking out the suggestions in this thread: A potentially dangerous Request.Form value was detected from the client

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

For this Potentially dangerous error, you can do the following and see if it helps -

Add the line: <pages validateRequest="false" /> inside the <system.web> section

Improve this answer

1 Comment

Per a comment above, is there a way to do this without setting validateRequest="false"? Is there a hook that fires before the validation occurs that I can intercept?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.