Tuesday, December 30, 2008

Server Error in '/' Application ... A potentially dangerous Request.Form value was detected ...


When entering a value with angled brackets into a text box on a .NET application the following error is generated in the browser:

Server Error in '/' Application.

A potentially dangerous Request.Form value was detected from the client (TextBoxN="...")


The .NET framework is throwing up an error because it detected something in the entered text which looks like an HTML statement. The text doesn't need to contain valid HTML, just anything with opening and closing angled brackets ("<...>").

The reason behind the error is as a security precaution. Developers need to be aware that users might try to inject HTML (or even a script) into a text box which may affect how the form is rendered. For further details see www.asp.net/learn/whitepapers/request-validation/.

This checking was not performed in the .NET 1.0 framework and was introduced with the .NET 1.1 framework.


The remedy is in two parts and you MUST action both:

  1. To disable request validation on a page add the following directive to the existing "page" directive in the file - you will need to switch to the HTML view for this:


    for example if you already have:

    <%@ Page Language="vb" AutoEventWireup="false" Codebehind="MyForm.aspx.vb" Inherits="Proj.MyForm"%>

    then this should become:

    <%@ Page Language="vb" AutoEventWireup="false" Codebehind="MyForm.aspx.vb" Inherits="Proj.MyForm" ValidateRequest="false"%>

    Alternately, you can globally turn request validation off (but in which case be sure to implement item two below). To globally turn request validation off add the following to your web.config file:

    this should go within the section. This will turn off request validation for every page in your application.


    With request validation turned off, users will be able to enter html into text boxes on the page. For example entering:


    will be rendered by the browser (when the form is updated and the contents redisplayed) as JavaScript and a message box will appear with the message "Oops!". This is generally considered to be undesirable!

  2. Unless you actually need users to be able to enter HTML you must convert the string to its html encoding equivalent - basically this means that certain characters (like "<") are converted to codes (so "<" is converted to "<"). To perform this conversion use HttpUtility.HtmlEncode, for example:

    MyLabel.Text := HttpUtility.HtmlEncode(MyTextBox.Text);

    You only need to consider this for any text that will be rendered in the browser.

These notes are believed to be correct for .NET 1.1 and .NET 2, and may apply to other versions as well.

From: http://www.cryer.co.uk/brian/mswinswdev/ms_vbnet_server_error_potentially_dangerous.htm

Friday, December 19, 2008

Debugging client JavaScript in VS 2005

Client Java Script is one of the most important things in web development but not the best and easiest to develop. Building of bigger and more complicated scripts, especially using DOM model or form field values can cause a lot of frustration and head pain. Moreover, JavaScript debugging is not easy and obvious as should be. But there is a hope.

One of less known features of Visual Studio 2005 is Script Explorer, hidden in Debug menu where appears only when the debugger is running. This great tool allows easily debug JavaScripts.

Before start, we should ensure that client script debugging is not disabled in IE as it is by default. Suitable options are located on Advanced tab of Internet Options where both script debugging checkboxes should be unchecked.

We can come back to Script Explorer. As it was written before, it appears only while the debugger is working. So after starting project we can go do Debug->Windows where should be Script Explorer. Sometimes, don’t know why, it doesn’t so in this case we have to find it manually. Staying in debug mode right click on tool bar and go into Customize. Then select Debug in Categories on the left side of window and find Script Explorer on the right. Just drag it to Debugging toolbar.

After opening Script Explorer panel we will se the tree of active JavaScripts. At the first level are scripts that are imported from external sources or embedded in the page. There are also auto-generated scripts like postback scripts as well. By double-clicking on the selected script it will open in the main window.

At this moment, we can debug it in well known way using breakpoints, steps, Watch and QuickWatch, just like in the server side, including context variable browsing.

Breakpoints can also be set up in external *.js files before project will be loaded. Then, after loading project, the breakpoint will be activated by debugger. Note, that it is only possible to *.js files not for scripts embedded in pages. These scripts are available for debugging only after loading page.

Taken from: