x First time here? Check out the FAQ
  • Avatar22posts43karma

    "A potentially dangerous Request.Form value was detected" when updating content with HTML tags

    Mike started this topic August 6, 2010 @ 10:52, Go directly to the topic solution

    I have recently installed umbraco v 4.0.4.2 after suffering a lot of problems with the latest versions not loading the tree nodes within the admin section.

    After a couple of days of trying to install the CMS I finally managed to get Umbraco working locally on Windows XP with WebMatrix. However, I have stumbled upon the following problem when attempting to add content that contains any HTML tags.

    A potentially dangerous Request.Form value was detected from the client (ctl00$body$pageContent="<a href="null">Test<...").

    Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. To allow pages to override application request validation settings, set the requestValidationMode attribute in the httpRuntime configuration section to requestValidationMode="2.0". Example: <httpRuntime requestValidationMode="2.0" />. After setting this value, you can then disable request validation by setting validateRequest="false" in the Page directive or in the <pages> configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. For more information, see http://go.microsoft.com/fwlink/?LinkId=153133.

    Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (ctl00$body$pageContent="<a href="null">Test<...").

    Here is the stack trace for the error:

    [HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (ctl00$body$pageContent="Test<a href="http://"></...").]
    System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +8730676
    System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, RequestValidationSource requestCollection) +122
    System.Web.HttpRequest.get_Form() +114
    System.Web.HttpRequest.get_HasForm() +8896047
    System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull) +97
    System.Web.UI.Page.DeterminePostBackMode() +69
    System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +8431
    System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +253
    System.Web.UI.Page.ProcessRequest() +78
    System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) +21
    System.Web.UI.Page.ProcessRequest(HttpContext context) +49
    ASP.umbraco_editcontent_aspx.ProcessRequest(HttpContext context) +4
    System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +100
    System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75

    After searching on Google and trying some of the methods, from adding a tag to disable request validation to changing my web.config file. The problem still persists and as such it makes using Umbraco unfeasible.

    Can anyone help with this problem?


  • Avatar96posts194karma
    Comment with ID: 42069
    Arjan H. posted this reply August 6, 2010 @ 11:06

    You can either put this in your template:

    <umbraco:DisableRequestValidation runat="server"/>

    Or this in your usercontrol's codebehind:

    protected void Page_Init(object sender, EventArgs e)
    {
        try
        {
            ((umbraco.UmbracoDefault)this.Page).ValidateRequest = false;
        }
        catch { }
    }

    But make sure to clean up the input before you process it.


  • Avatar22posts43karma
    Comment with ID: 42071
    Mike posted this reply August 6, 2010 @ 11:10

    I've tried adding the first line in both my Master template and within the editContent.aspx page and it didn't change anything, as well as changing debugging to true and adding a similar line in my web.config file, but I haven't tried the codebehind as I don't know where to find it. Which file do I need to add/edit to do this?

    EDIT: After searching around I found this video about adding .NET user controls. Is this what I need to do for my master template?


  • Avatar96posts194karma
    Comment with ID: 42075
    Arjan H. posted this reply August 6, 2010 @ 11:23

    I'm not entirely sure what you're trying to do. The video explains how to add and use custom .NET user controls in Umbraco. But you're having issues with saving HTML in the backend, right? Can you explain exactly what you're doing (maybe add some screenshots)?


  • Avatar22posts43karma
    Comment with ID: 42077
    Mike posted this reply August 6, 2010 @ 11:28

    Sorry, I think I've needlessly made it seem more complicated than it actually it. To put it short, I cannot add HTML to any content pages because it throws a ASP.NET error. Here's an example of what I'm trying to do; if I add simple text it works fine, but the second I add a HTML tag the error in the first page is thrown.

    http://imgur.com/LsUkm.jpg


  • Arjan H. posted this reply August 6, 2010 @ 11:42

    I have no experience with WebMatrix, but I did find this:

    http://learn.iis.net/page.aspx/872/webmatrix-beta-release-readme/#Known_Issues_ASPNET

    You did mention you were trying to disable request validation in the web.config, but it doesn't say exactly what you did.


  • Avatar22posts43karma
    Comment with ID: 42086
    Mike posted this reply August 6, 2010 @ 11:45

    That worked perfectly, thank you very much!

    For anyone else suffering from the same problem, I had changed validateRequest="false" in both my page directives and web.config files and it had no effect, but <httpRuntime requestValidationMode="2.0" /> worked perfectly and now I can add HTML to my content.

    Thanks again!


  • Avatar96posts194karma
    Comment with ID: 42087
    Arjan H. posted this reply August 6, 2010 @ 11:47

    Glad I could help!


  • Cheryl posted this reply January 6, 2012 @ 05:40

    Hi Im having the same problem Where do I enter the code <httpRuntime requestValidationMode="2.0" />

     

    thanks


  • Sivard posted this reply January 12, 2012 @ 10:49

    in the web.config, place it inside the node <system.web> if it's not there already.

     


  • Cheryl posted this reply January 15, 2012 @ 01:24

    Hi thanks for your help, this is all very new to me, I have added this code to the web.config and I dont get an error.  I save the changes to a page and it says saved but all the changes I make really do not save.

    All I added was the <httpRuntime requestValidationMode="2.0" /> code

    Not sure where to add the other bits validateRequest="false"

    Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. To allow pages to override application request validation settings, set the requestValidationMode attribute in the httpRuntime configuration section to requestValidationMode="2.0". Example: <httpRuntime requestValidationMode="2.0" />. After setting this value, you can then disable request validation by setting validateRequest="false" in the Page directive or in the <pages> configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. For more information, see http://go.microsoft.com/fwlink/?LinkId=153133.           ;


Please login or Sign up To post replies