Question 87420 in ASP.NET Question posted in
The official documentation can be found here.

Prevent html injection on Asp.Net textbox validation

I want to add a validator which prevents the html injection on Asp.Net injection. I am using the below code :

<asp:TextBox ID="TxtBoxMultiLine" runat="server" TagName="textBoxValidation" Width="50%" AutoPostBack="False" autocomplete="off" textMode="MultiLine"></asp:TextBox>

<asp:CustomValidator ID="CustomValidator1" runat="server" ErrorMessage="HTML Tags Not Allowed" ControlToValidate="TxtBoxMultiLine" ClientValidationFunction="ValidateTitle" ValidationGroup="htmlValidation"></asp:CustomValidator>

<asp:Button Text="Save" ID="addSaveBttn" CssClass="savesimpleshape1" runat="server" OnClick="addSaveBttn_Click" ValidationGroup="htmlValidation"/>

i am using that javascript function to validate my textbox.

    function ValidateTitle(event) {
        str = (document.getElementById('textBoxValidation')).value;
      if (str.match(/([<])([^>]{1,})*([>])/i) == null) {            
          event.IsValid = true;
      }
      else {        
          event.IsValid = false;
      }
  }

When i pressed the button occurs that exception : A potentially dangerous Request.Form value was detected from the client

It seems that is ignoring my validation. Also, i don’t want to put this element : ValidateRequest = false on my page.

Tags:

2

Answers


  1. 0

    You may use client script like:

     function ValidateTitle(event,args) {
        str = (document.getElementById('textBoxValidation')).value;
      if (str.match(/([<])([^>]{1,})*([>])/i) == null) {            
          args.IsValid = true;
      }
      else {        
          args.IsValid = false;
      }
  }

    and

    
<asp:CustomValidator ID="CustomValidator1" runat="server" ErrorMessage="HTML Tags Not Allowed" ControlToValidate="TxtBoxMultiLine" ClientValidationFunction="ValidateTitle" ValidationGroup="htmlValidation" EnableClientScript="true" Display="Dynamic"></asp:CustomValidator>

    You could correct some errors.

    str = (document.getElementById('textBoxValidation')).value;

    to

      str = (document.getElementById('TxtBoxMultiLine')).value;

    You must set all input to some validation group

    and you must add a script resource for WebForms UnobtrusiveValidationMode requires a ScriptResourceMapping for ‘jquery’ error. also your regex not complately detect html code you change your regex from

     if (str.match(/([<])([^>]{1,})*([>])/i) == null) {

    to

      if (str.match("<[^>]*>") == null) {

    may you need more complex regex.

    Login or Signup to reply.
  2. 0

    To avoid the exception: A potentially dangerous Request.Form value was detected from the client Add the below inside the <system.web> element.

    <sessionState mode="InProc" cookieless="UseUri"/>

    After validating your input, the below will strip HTML tags in a textbox using regex.

    const rx = /(<([^>]+)>)/ig
const result = str.replace(rx, "");
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search