Saving HTML in Editor gives 'potentially dangerous Request.Form value'

Saving HTML in Editor gives 'potentially dangerous Request.Form value'

elicymelicym Posts: 8Questions: 3Answers: 0

I'm trying to save HTML in an Editor field. Only admins have access to this page, so there's no XSS issue. I get an ASP.NET error - 'A potentially dangerous Request.Form value was detected from the client'. I tried what was suggested at https://datatables.net//forums/discussion/comment/98528/, in both the question and answer, but it didn't help.

This question has an accepted answers - jump to answer

Answers

  • allanallan Posts: 63,689Questions: 1Answers: 10,500 Site admin

    Hi,

    The requestValidationMode option is the only way I'm aware of that will properly resolve this. Its a built in validation check by .NET and not something that Editor intentionally enables. The .NET documentation on this topic might be of some use. Specifically do you have the httpRuntime requestValidationMode set to be 2.0 inside the system.web?

    It looks like there is a method which can be used to check that it was set.

    Allan

  • elicymelicym Posts: 8Questions: 3Answers: 0

    requestValidationMode didn't work by itself - the action also required the attribute [ValidateInput(false)]. It would be ideal though if the Editor library would use Request.Unvalidated, which won't require changing the whole application to use requestValidationMode=2.

  • allanallan Posts: 63,689Questions: 1Answers: 10,500 Site admin
    Answer ✓

    Thanks for letting ,e know about Request.Unvalidated - I wasn't aware of that. I've just added support for it to Editor's .NET libraries and it will be available in Editor 1.7 which will be out next week.

    Regards,
    Allan

  • elicymelicym Posts: 8Questions: 3Answers: 0

    Thank you, great support.

This discussion has been closed.