Plateforme Level Extreme
Abonnement
Profil corporatif
Produits & Services
Support
Légal
English
HTML in User Input - Handling the Exception
Message
De
29/06/2005 15:07:26
Keith Payne
Technical Marketing Solutions
Floride, États-Unis
 
 
À
29/06/2005 14:48:26
Al Doman
M3 Enterprises Inc.
North Vancouver, Colombie Britannique, Canada
Information générale
Forum:
ASP.NET
Catégorie:
Autre
Titre:
Re: HTML in User Input - Handling the Exception
Versions des environnements
Environment:
ASP.NET
OS:
Windows 2000 SP4
Database:
MS SQL Server
Divers
Thread ID:
01027271
Message ID:
01027486
Vues:
12
This message has been marked as a message which has helped to the initial question of the thread.
>Hmm, that's too bad - it seems reasonable to be able to say "no HTML allowed" nicely to the user, rather than give them the big yellow screen. But it makes sense from a security standpoint that it should be handled high up in the call stack.
>
>For my app it's not a big deal - anyone savvy enough to try to enter HTML is savvy enough to deal with a BYS < g >
>
>It's of academic interest but is there any relatively easy way to display a text URL as a hyperlink? Obviously it can be done - the UT does it (although only when the text is read-only). Does this require a 3rd party control, custom parsing, both ??
>
>>Well, you really can't have it both ways <g>...
>>
>>As far as I know you can't capture this error inside of a page - it happens higher up in the ASP.NET pipeline before it ever gets to the page. If you look at the call stack you can see it's in the HTTP Request parsing that this fires. The only place you can handle this failure is in Application_Error in global.asax from which it's going to be real tough to provide page relevant information.
>>
>>
>>+++ Rick ---
>>
>>
>>
>>>VS.NET 2003
>>>
>>>By default, ASP.NET/IIS doesn't allow HTML input into text boxes etc. If you do you get the nice yellow screen talking about cross-site scripting attacks etc.
>>>
>>>" Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case."
>>>
>>>I don't want to set validateRequest=false, I like the idea of this checking taking place. However, I'd like to trap this exception instead, preferably in a CustomValidator and put a message in ValidationSummary i.e. handle it like any other kind of input error. Is there a recommended technique to handle this?
>>>
>>>On a related note, some users are asking if URLs in text boxes can show as hyperlinks instead of plain text. Can this be done with plain-Jane ASP.NET controls?

Al,

You can identify text that resembles a URL with the .NET regular expression parser RegEx. You can find a regular expression that matches URLs at www.regexlib.com. Once you identify the URL, you can enclose it in an href tag and insert the HTML into the .Text of a Label control to render the hyperlink.
Précédent
Suivant
Répondre
Fil
Voir

Click here to load this message in the networking platform