BeanSoftware Logo

ASP.NET Database Search Control

    Write For Us

How To Allow HTML Tags In TextBox Control?

Let say you have one TextBox control and one Button control on web form. On button click your application should take text from TextBox control and do something smart with it. It works fine, until you try to insert some HTML tag. For example, try to insert text "Hello
World", like on image bellow.

Text of TextBox Control contains some HTML tag
Image 1: Text of TextBox control contains HTML tag

If you click a button now your application will throw an exception, with output similar to this:

Server Error in '/TestWebSite' Application.

A potentially dangerous Request.Form value was detected from the client (txtAllowHTML="Hello <br /> World").
Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (txtAllowHTML="Hello <br /> World").




To avoid this problem and allow HTML tags in TextBox control you need to change ValidateRequest of Page directive to false. You can do it like in code bellow:

<%@ Page Language="VB" AutoEventWireup="false" CodeFile="Default.aspx.vb" ValidateRequest="false" Inherits="_Default" %>


After this change, your application will accept every input, including HTML tags.

Security issues when allowing HTML tags

Note that this ValidateRequest property is not existing without reason. When you change its default value, insecure input will be accepted. Because of that, you need to validate every user's input to avoid cross-site scripting attacks, like inserting of malicious JavaScript, ActiveX, Flash or HTML

Related articles:

1. Working With ObjectDataSource And GridView

FAQ toolbar: Submit FAQ  |  Tell A Friend  |  Add to favorites  |  Feedback

Copyright © 2002-2008 Bean Software. All rights reserved.