DataList throws "A potentially dangerous..." from textbox on canceling from editmode

Question

0.00/5 (No votes)

See more:

Hi,
I implemented a DataList where the EditItemTemplate contains a textbox with user input. the string written in the textbox is not showed if not in editmode. When the string contains script injection like alert the control acts funny .... not...

When I click the editmode button the datalist shows the text as expected because the textbox control can handle the script injection.
BUT when I click the cancel editmode the page goes to yellow screen of death with "A potentially dangerous Request. Form value was detected from the client" pointing at the textbox with the script injection.

The code running when cancelbutton is pressed:

MyDataList.EditItemIndex = (int)e.Item.ItemIndex;
MyMessageDataList.DataSource = myList;
MyMessageDataList.DataBind();

Does anyone know why this happen?

The "script injection"-text is not showed in a label or something.

Posted 3-Feb-11 4:53am

CodeLars

Updated 3-Feb-11 15:02pm

Henry Minute

v2

Add a Solution

2 solutions

Solution 3

it seems that this bug is a "work as intended"-bug.
ValidateRequest seems to validate every text and throws that error just in case...
which seems to me, makes the validaterequest="true" unusable in real applications where that behavior realy itn't wanted.

Posted 3-Feb-11 22:07pm

CodeLars

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

jim lahey · Accepted Answer · 2011-02-03T05:03:00

Solution 1

You're going to have to set ValidateRequest to false in web.config if you want to suppress this behaviour. be aware though, that doing this opens your site up to script injection and therefore possible XSS vulnerabilities. you'll have to handle all the user input yourself.

Posted 3-Feb-11 5:03am

jim lahey

Comments

fjdiewornncalwe 3-Feb-11 21:42pm

OP's comment moved from answer: Yea i found that one and didnt want to do that.
it must be another way.
btw. it collapses before it even goes to page_load.
i was wondering if the datalist does something with the string that makes it goes boom?