.NET Discussion

.NET Issues, Problems, Code Samples, and Fixes

How To Allow HTML to be Submitted in Your Forms


Ever gotten an error when you click submit when you enter some HTML in your form?  Want users to be able to submit HTML tags?  Not only is it possible, it’s easy!  Somewhere in your page directive (i.e., where it says <%@ Page) on your .aspx page, simply include the attribute: validateRequest=”False”.

Yeah, that’s it.

WARNING: doing this means that the .NET engine will not check for possibly harmful code a user could enter via HTML or Javascript, so make sure you know what you’re getting into before you turn off this feature.

EDIT: Be sure to check the comments by Eric on this post on how you can do this more securely! Also, for a more complete explanation, check his post on XSS Attacks.

July 9, 2007 - Posted by Some.Net(Guy) | ASP.NET, Tips & Tricks | | 3 Comments

3 Comments »

  1. Cross site scripting attacks are the NUMBER ONE attack, and its because of lack of input validation (OWASP Top Ten Project).

    Fortunately, Microsoft has their Anti-XSS library, which HTML Encodes ALL input values, so if you want to allow HTML the safe way, you should use this if you have to turn input validation off – MS Anti-XSS Library

    Comment by Eric | July 20, 2007 | Reply

  2. Yeah, I read a bit about XSS the other day. Thanks for the link!

    When you install this, does it provide you with the DLL that you then have to add as a reference, recompile your app, and then re-upload your project DLL(s) plus this one? Or is it something else?

    Comment by Some.Net(Guy) | July 20, 2007 | Reply

  3. Yeah, youre pretty much on track. Add the dll as a reference, then import the class to your appropriate pages (ex. Imports Microsoft.Security.Application.AntiXss).

    Then, when grabbing your data from your web form, just use the HTMLEncode Method – Dim strInput As String = HtmlEncode(Me.inputText.text).

    Comment by Eric | July 20, 2007 | Reply


Leave a comment

« Previous | Next »