D'Arcy from Winnipeg
Solution Architecture, Business & Entrepreneurship, Microsoft, and Adoption

Using Free Text Box Safely in ASP.NET 2.0

Saturday, February 3, 2007 10:11 PM

We're using the Free Text Box control in an internal web app. This is one of those controls that lets you put in rich text marked up with HTML tags behind the scenes. Problem though is that when you submit the page, you'll get an error warning you that some shifty looking code might be attached to the response. So how do you handle something like this safely.

1. Set the validateRequest in the page declaration to False. You can do this for the entire site in the web.config if you want, but that would be silly.

2. When you submit your rich text in the response, you need to use server.HTMLEncode on the text first. This turns "<" into "&lt" in the text and renders any nasty-type of stuff harmless.

3. For data coming out, use server.HTMLDecode to output your text back in html-love fashion.

I'm sure this is nothing new, and I'm sure there are lots of articles on it online...just wanted to record it here for my own records and also in case it could help someone who frequents the boards.

D




Feedback

# re: Using Free Text Box Safely in ASP.NET 2.0

I need that 4/5/2007 2:19 AM | Atif Shah

# re: Using Free Text Box Safely in ASP.NET 2.0

Thanks Man, that actually helped me. 8/12/2007 5:27 PM | DionB

# re: Using Free Text Box Safely in ASP.NET 2.0

I really need that 4/3/2008 6:18 AM | hasintha

# re: Using Free Text Box Safely in ASP.NET 2.0

<object width="425" height="355"><param name="movie" value="http://www.youtube.com/v/P-5Te9XUMzg&hl=en"></param><param name="wmode" value="transparent"></param><embed src="http://www.youtube.com/v/P-5Te9XUMzg&hl=en" type="application/x-shockwave-flash" wmode="transparent" width="425" height="355"></embed></object> 4/5/2008 9:55 PM | s

# re: Using Free Text Box Safely in ASP.NET 2.0

Good refresher and pleasant tone. Thanks. 2/1/2011 12:56 PM | nate

Post a comment