Before looking at the code, Read about – What is JumpStart?
———————————————————– Before validateRequest=”false” ———————————————————-
Input Screen - Output Screen –
Code -
<%@ Page Language="C#"%> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <script runat="server"> /* validateRequest - * 1. It is feature which is responsible for the page not submitting un-encoded html or script as input * in asp.net. * 2. When user try to submit html or script with validateRequest enabled, asp.net throws an exception - * "A potentially dangerous Request.Form value was detected from the client". * 3. By default, it is true. * 4. It can be override individually for each page by setting in @Page directive or can be done globally * in the pages tag under system.web of web.config. * 5. Sometimes it is necessary to take html input from the user (say for example CMS system), in that case * we need to set validateRequest="false". * 6. It is always advisable to validate users input (in case of validateRequest="false"), because malicious * user can make script attacks taking advantage of this feature. * 7. The other possible way to ensure proper input is to encode the users input using HttpUtility.HtmlEncode(). * 8. In case of .Net 4.0, an additional entry is required in web.config (to make validateRequest="false") * <httpRuntime requestValidationMode="2.0"/> */ protected void Button1_Click(object sender, EventArgs e) { Response.Write(TextBox1.Text); } </script> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1" runat="server"> <title></title> </head> <body> <form id="form1" runat="server"> <div> <asp:TextBox ID="TextBox1" runat="server"></asp:TextBox> <asp:Button ID="Button1" runat="server" Text="PostBack" OnClick="Button1_Click" /> </div> </form> </body> </html>
———————————————————– After validateRequest=”false” ———————————————————–
Input Screen - Output Screen –
Code –
<%@ Page Language="C#" ValidateRequest="false"%> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <script runat="server"> /* validateRequest - * 1. It is feature which is responsible for the page not submitting un-encoded html or script as input * in asp.net. * 2. When user try to submit html or script with validateRequest enabled, asp.net throws an exception - * "A potentially dangerous Request.Form value was detected from the client". * 3. By default, it is true. * 4. It can be override individually for each page by setting in @Page directive or can be done globally * in the pages tag under system.web of web.config. * 5. Sometimes it is necessary to take html input from the user (say for example CMS system), in that case * we need to set validateRequest="false". * 6. It is always advisable to validate users input (in case of validateRequest="false"), because malicious * user can make script attacks taking advantage of this feature. * 7. The other possible way to ensure proper input is to encode the users input using HttpUtility.HtmlEncode(). * 8. In case of .Net 4.0, an additional entry is required in web.config (to make validateRequest="false") * <httpRuntime requestValidationMode="2.0"/> */ protected void Button1_Click(object sender, EventArgs e) { Response.Write(TextBox1.Text); } </script> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1" runat="server"> <title></title> </head> <body> <form id="form1" runat="server"> <div> <asp:TextBox ID="TextBox1" runat="server"></asp:TextBox> <asp:Button ID="Button1" runat="server" Text="PostBack" OnClick="Button1_Click" /> </div> </form> </body> </html>
In Web.Config –
<system.web> <httpRuntime requestValidationMode="2.0"/> </system.web>
—————————————————– Encoding Input – HttpUtility.HtmlEncode() —————————————————-
Input Screen - Output Screen –
Code –
// Replace the following function in above code - protected void Button1_Click(object sender, EventArgs e) { Response.Write(HttpUtility.HtmlEncode(TextBox1.Text)); }
