Mengatasi Server Error in Application ... A potentially dangerous Request.Form value was detected ... Di ASP.NET

Mengatasi Server Error in Application... bla..bla..bla Di Asp.Net

---

Symptom:

When entering a value with angled brackets into a text box on a .NET

application the following error is generated in the browser:

Server Error in '/folder' Application.

A potentially dangerous Request.Form value was detected from

the client (TextBoxN="...")

Cause

The .NET framework is throwing up an error because it detected something

in the entered text which looks like an HTML statement. The text doesn't

need to contain valid HTML, just anything with opening and closing angled

brackets ("<...>").

The reason behind the error is as a security precaution. Developers need

to be aware that users might try to inject HTML (or even a script) into

a text box which may affect how the form is rendered. For further details

see

www.asp.net/learn/whitepapers/request-validation/.

This checking was not performed in the .NET 1.0 framework and was introduced

with the .NET 1.1 framework.

Remedy:

The remedy is in two parts and you MUST action both:

1. To disable request validation on a page add the following directive
   
   to the existing "page" directive in the file (you will need to switch
   
   to the HTML view for this):
   
   

   ValidateRequest="false"

   for example if you already have:

   <%@ Page Language="vb" AutoEventWireup="false" Codebehind="MyForm.aspx.vb"

Inherits="Proj.MyForm"%>




   then this should become:

   <%@ Page Language="vb" AutoEventWireup="false" Codebehind="MyForm.aspx.vb"

Inherits="Proj.MyForm" ValidateRequest="false"%>




   In later versions of Visual Studio the value of this property is
   
   available via the page properties, so simply set "ValidateRequest"
   
   to "False". Either method of setting this achieves the same result.

   Note:

   If you are using .NET 4 then you will also need to add
   
   requestValidationMode="2.0" to the httpRuntime configuration section
   
   of the web.config file. For example:

   <httpRuntime requestValidationMode="2.0"/>

   If you don't already have a httpRuntime section in the
   
   web.config file then this goes inside the <system.web> section.

   Alternately, instead of turning validation off on a page by page
   
   basis you can turn request validation off globally (but in
   
   which case be sure to implement item two below). To globally turn request
   
   validation off add the following to your web.config file:

   <pages validateRequest="false" />

   this should go within the <system.web> section. This
   
   will turn off request validation for every page in your application.
   
   (For .NET 4 you will need to add the requestValidationMode="2.0"
   
   to the web.config file as mentioned in the note above.)

   
   
   
   

   Warning With request validation turned off, users will be able to enter html into text boxes on the page. For example entering: <script>alert('Oops!')</script> will be rendered by the browser (when the form is updated and the contents redisplayed) as JavaScript and a message box will appear with the message "Oops!". This is generally considered to be undesirable!



2. Unless you actually need users to be able to enter HTML, you must
   
   convert the string to its HTML encoding equivalent - basically this
   
   means that certain characters (like "<") are converted to codes (so
   
   "<" is converted to "<",
   
   etc). To perform this conversion use HttpUtility.HtmlEncode,
   
   for example:
   
   

   MyLabel.Text = HttpUtility.HtmlEncode(MyTextBox.Text)

   You only need to consider this for any text that will be rendered
   
   in the browser.

---