Hi! I am looking for a way to stip out any html code if the user type in some html in the textbox. Thanks!!
If the ValidateRequest is turned on for a page then ASP.Net will automatically detect the HTML in the text box and throw an error.
ValidateRequest can be turned on in the Page directive.
use
yourString= Server.HtmlEncode(Trim(TxtBxManufactureProductID.Text))
or
yourString=HttpUtility.HtmlEncode(TxtBxManufactureProductID.Text)
yourString is a string variable
Use can use HTMLEncode as told previously, else if you want to completely remove HTML then you may user RegEx. <(?<tag>\w*)>(?<text>.*)</\k<tag>> , and replace them with some empty string.
I am not sure of the exact code, but you can replace HTML for sure.
Ankit
Hi! Thank you for the reply, I tried yourString=HttpUtility.HtmlEncode(TxtProfile.Text) and got an error ( a potentially dangerous request...)
And I also tried the one that has Trim,but it says that Trim doesn't exist in the current contest. Do I have to import a namespace for that? Thanks.
Thanks! I get a syntax error on the reguloar expression:
<asp:RegularExpressionValidatorID="RegularExpressionValidator1"runat="server"ControlToValidate="txtBusinessprofile"ValidationExpression="<(?<tag>\w*)>(?<text>.*)</\k<tag>>">Please do not incluse html code!</asp:RegularExpressionValidator>
<%@. Page Language="VB" MasterPageFile="AdminMasterPage.master" AutoEventWireup="false" Inherits="YYY" title="xxxx"ValidateRequest="false" Codebehind="YYY.aspx.vb" %>
you will have a line like above in your axpx file(the fist line)
write the ValidateRequest="false" there
Then also use codes in my previous replay
Do you know how to catch the exception that is thrown when ValidationRequest="true" and user inputs an html? I can see that this exception is fired much before the execution point ever comes the actual page's codebehind. I guess i could not even catch it in Application_Error.....
It will be actually nice to have something like this:
1. keep ValidationRequest="true"
2. Exception is thrown if user enters html or anything inside angular brackets
3. Error is caught at Page error handler and action is taken (display msg etc)
This will save remembering to validate for malicious input (or at least a scripting type of malicious input) in all the forms in all the pages...
Thanks for the tip! I have also read that it's not a good habit to set validaterequest to false cos of the script injection attacks that might arise...I had mine set to false for the page only and I need to make sure that all html code is stripped out of the textbox.
0 comments:
Post a Comment