0

I want to add a validator which prevents the html injection on Asp.Net injection. I am using the below code :

<asp:TextBox ID="TxtBoxMultiLine" runat="server" TagName="textBoxValidation" Width="50%" AutoPostBack="False" autocomplete="off" textMode="MultiLine"></asp:TextBox>

<asp:CustomValidator ID="CustomValidator1" runat="server" ErrorMessage="HTML Tags Not Allowed" ControlToValidate="TxtBoxMultiLine" ClientValidationFunction="ValidateTitle" ValidationGroup="htmlValidation"></asp:CustomValidator>

<asp:Button Text="Save" ID="addSaveBttn" CssClass="savesimpleshape1" runat="server" OnClick="addSaveBttn_Click" ValidationGroup="htmlValidation"/>

i am using that javascript function to validate my textbox.

    function ValidateTitle(event) {
        str = (document.getElementById('textBoxValidation')).value;
      if (str.match(/([\<])([^\>]{1,})*([\>])/i) == null) {            
          event.IsValid = true;
      }
      else {        
          event.IsValid = false;
      }
  }

When i pressed the button occurs that exception : A potentially dangerous Request.Form value was detected from the client

It seems that is ignoring my validation. Also, i don't want to put this element : ValidateRequest = false on my page.

Improve this question

2 Answers 2

Reset to default
1

You may use client script like:

 function ValidateTitle(event,args) {
        str = (document.getElementById('textBoxValidation')).value;
      if (str.match(/([\<])([^\>]{1,})*([\>])/i) == null) {            
          args.IsValid = true;
      }
      else {        
          args.IsValid = false;
      }
  }

and


<asp:CustomValidator ID="CustomValidator1" runat="server" ErrorMessage="HTML Tags Not Allowed" ControlToValidate="TxtBoxMultiLine" ClientValidationFunction="ValidateTitle" ValidationGroup="htmlValidation" EnableClientScript="true" Display="Dynamic"></asp:CustomValidator>

You could correct some errors.

str = (document.getElementById('textBoxValidation')).value;

to

  str = (document.getElementById('TxtBoxMultiLine')).value;

You must set all input to some validation group

and you must add a script resource for WebForms UnobtrusiveValidationMode requires a ScriptResourceMapping for 'jquery' error. also your regex not complately detect html code you change your regex from

 if (str.match(/([\<])([^\>]{1,})*([\>])/i) == null) {

to

  if (str.match("<[^>]*>") == null) {

may you need more complex regex.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

It returns me the same exception. It looks that before the execution of onclick action, the mechanism has recognized the html tags and it blocks me.
@Fatman123 Your text box not in validation group.
I removed the validation group from all tags and occurs the same exception.
1

To avoid the exception: A potentially dangerous Request.Form value was detected from the client Add the below inside the <system.web> element.

<sessionState mode="InProc" cookieless="UseUri"/>

After validating your input, the below will strip HTML tags in a textbox using regex.

const rx = /(<([^>]+)>)/ig
const result = str.replace(rx, "");
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.