[CLOSED] A potentially dangerous Request.Form value was detected from XML

  1. #1

    [CLOSED] A potentially dangerous Request.Form value was detected from XML

    I want to printout XML from store. Some of my columns contains HTML So I have

        protected void MyStore_Submit(object sender, StoreSubmitDataEventArgs e)
        {
            XmlNode xml = e.Xml;
            string strXml = xml.OuterXml;
            this.Response.AddHeader("Content-Disposition", "attachment; filename=data.xml");
            this.Response.AddHeader("Content-Length", strXml.Length.ToString());
            this.Response.ContentType = "application/xml";
            this.Response.Write(strXml);
        }
    and this report error


    A potentially dangerous Request.Form value was detected from the client (submitDirectEventConfig="...ption\":\"<FONT face=\\\"tahom...").
    Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.

    Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (submitDirectEventConfig="...ption\":\"<FONT face=\\\"tahom...").

    Source Error:

    [No relevant source lines]


    Source File: c:\Windows\Microsoft.NET\Framework\v2.0.50727\Temp orary ASP.NET Files\axwebtasktracker\c73b468a\6cadce2c\App_Web_4 faq77jg.0.cs Line: 0

    Stack Trace:

    [HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (submitDirectEventConfig="...ption\":\"<FONT face=\\\"tahom...").]
    System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName) +8734578
    System.Web.HttpRequest.ValidateNameValueCollection (NameValueCollection nvc, String collectionName) +111
    System.Web.HttpRequest.get_Form() +129
    System.Web.HttpRequest.get_HasForm() +8734679
    System.Web.UI.Page.GetCollectionBasedOnMethod(Bool ean dontReturnNull) +97
    System.Web.UI.Page.DeterminePostBackMode() +63
    System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +6785
    System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +242
    System.Web.UI.Page.ProcessRequest() +80
    System.Web.UI.Page.ProcessRequestWithNoAssert(Http Context context) +21
    System.Web.UI.Page.ProcessRequest(HttpContext context) +49
    ASP.sandpage_aspx.ProcessRequest(HttpContext context) in c:\Windows\Microsoft.NET\Framework\v2.0.50727\Temp orary ASP.NET Files\axwebtasktracker\c73b468a\6cadce2c\App_Web_4 faq77jg.0.cs:0
    System.Web.CallHandlerExecutionStep.System.Web.Htt pApplication.IExecutionStep.Execute() +181
    System.Web.HttpApplication.ExecuteStep(IExecutionS tep step, Boolean& completedSynchronously) +75
    I need to output my data, but have no idea how to do right with direct events and ext.net. help please.
    Last edited by Daniil; Oct 10, 2011 at 12:11 PM. Reason: [CLOSED]
  2. #2
    Hi,

    Please use the "encode : true" submit option:
    GridPanel1.submitData({
        encode : true
    });
  3. #3
    I got it now.
    Last edited by krzak; Oct 06, 2011 at 1:51 PM. Reason: I got it now
  4. #4
    however this change my output.

    No I get [object Object] if I get e.Xml

        protected voidMyStore_Submit(object sender, StoreSubmitDataEventArgs e)
        {
            XmlNode xml = e.Xml;
            string strXml = xml.OuterXml;
            this.Response.Write(strXml);
        }
    output like this:


    <?xml version="1.0"?>
    <records><record>[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]</record></records>
  5. #5
    however this change my output.
    Please clarify what output have you before?

    It looks like you need to deserialize the data.
  6. #6
    Quote Originally Posted by Daniil View Post
    Please clarify what output have you before?

    It looks like you need to deserialize the data.
    It was some copy&paste code found somewhere on forum exporting data to xml/excell/csv with xslt.
    I belive that there was proper xml with data that go without problems XSL tranformation. Now it get object in place of record data.


    how can I deserialize it now to get full xml?
  7. #7
    Well, I need a sample to reproduce your problem.

    Here is my test case working fine even without "encode: true".

    Example

    <%@ Page Language="C#" %>
    
    <%@ Import Namespace="System.Xml" %>
    
    <%@ Register Assembly="Ext.Net" Namespace="Ext.Net" TagPrefix="ext" %>
    
    <script runat="server">
        private object[] TestData
        {
            get
            {
                DateTime now = DateTime.Now;
    
                return new object[]
                {
                    new object[] { 1, "<span class='my-class'>3m Co</span>", 71.72, 0.02, 0.03, now },
                    new object[] { 2, "<div class='my-class'>Alcoa Inc</div>", 29.01, 0.42, 1.47, now },
                    new object[] { 3, "<b>Altria Group Inc</b>", 83.81, 0.28, 0.34, now },
                };
            }
        }
        
        protected void Store1_RefreshData(object sender, StoreRefreshDataEventArgs e)
        {
            this.Store1.DataSource = this.TestData;
            this.Store1.DataBind();
        }
    
        protected void Store1_Submit(object sender, StoreSubmitDataEventArgs e)
        {
            string format = this.FormatType.Value.ToString();
    
            XmlNode xml = e.Xml;
    
            this.Response.Clear();
            
            switch(format)
            {
                case "xml":
                    string strXml = xml.OuterXml;
                    this.Response.AddHeader("Content-Disposition", "attachment; filename=submittedData.xml");
                    this.Response.AddHeader("Content-Length", strXml.Length.ToString());
                    this.Response.ContentType = "application/xml";
                    this.Response.Write(strXml);
                    
                    break;
            }
            this.Response.End();
        }
    </script>
    
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head runat="server">
        <title>Ext.NET Example</title>
        
        <script type="text/javascript">
            var submitValue = function (grid, hiddenFormat, format) {
                hiddenFormat.setValue(format);
                grid.submitData(false);
            };
            
            var template = '<span style="color:{0};">{1}</span>';
    
            var change = function (value) {
                return String.format(template, (value > 0) ? "green" : "red", value);
            };
    
            var pctChange = function (value) {
                return String.format(template, (value > 0) ? "green" : "red", value + "%");
            };
        </script>
    
        <style type="text/css">
            .my-class {
                color: red;
            }
        </style>
    </head>
    <body>
        <form runat="server">
            <ext:ResourceManager runat="server" />
            
            <ext:Hidden ID="FormatType" runat="server" />
            
            <ext:Store 
                ID="Store1" 
                runat="server" 
                OnRefreshData="Store1_RefreshData"
                OnSubmitData="Store1_Submit">
                <DirectEventConfig IsUpload="true" />
                <Proxy>
                    <ext:PageProxy />
                </Proxy>
                <Reader>
                    <ext:ArrayReader IDProperty="company">
                        <Fields>
                            <ext:RecordField Name="id" Type="Int" />
                            <ext:RecordField Name="company" />
                            <ext:RecordField Name="price" Type="Float" />
                            <ext:RecordField Name="change" Type="Float" />
                            <ext:RecordField Name="pctChange" Type="Float" />
                            <ext:RecordField Name="lastChange" Type="Date" />
                        </Fields>
                    </ext:ArrayReader>
                </Reader>
            </ext:Store>
            
            <ext:GridPanel 
                ID="GridPanel1" 
                runat="server" 
                StoreID="Store1" 
                StripeRows="true"
                Title="Array Grid" 
                Width="600" 
                Height="290"
                AutoExpandColumn="Company">
                <TopBar>
                    <ext:Toolbar runat="server">
                        <Items>
                            <ext:ToolbarFill runat="server" />
                            <ext:Button runat="server" Text="To XML" Icon="PageCode">
                                <Listeners>
                                    <Click Handler="submitValue(#{GridPanel1}, #{FormatType}, 'xml');" />
                                </Listeners>
                            </ext:Button>
                        </Items>
                    </ext:Toolbar>
                </TopBar>
                <ColumnModel runat="server">
                    <Columns>
                        <ext:Column 
                            ColumnID="Company" 
                            Header="Company" 
                            Width="160" 
                            Sortable="true" 
                            DataIndex="company">
                            <Editor>
                                <ext:TextField runat="server" />
                            </Editor>
                        </ext:Column>
                        <ext:Column Header="Price" Width="75" DataIndex="price">
                            <Renderer Format="UsMoney" />
                            <Editor>
                                <ext:TextField runat="server" />
                            </Editor>
                        </ext:Column>
                        <ext:Column Header="Change" Width="75" DataIndex="change" />
                        <ext:Column Header="Change" Width="75" DataIndex="pctChange" />
                        <ext:DateColumn Header="Last Updated" Width="85" DataIndex="lastChange" Format="HH:mm:ss" />
                    </Columns>
                </ColumnModel>
                <SelectionModel>
                    <ext:RowSelectionModel runat="server" />
                </SelectionModel>
                <LoadMask ShowMask="true" />
            </ext:GridPanel>
        </form>
    </body>
    </html>
  8. #8
    Another way, set ValidateRequest="false" for the Page directive
    Please note that it can create security hole in the page
    Also, .NET 4.0 requires additional actions to deactivate validation
    http://stackoverflow.com/questions/2...k-in-asp-net-4
  9. #9
    setting validateRequest="false" back function to work

Similar Threads

  1. Replies: 2
    Last Post: Jun 26, 2012, 5:31 PM
  2. [CLOSED] Get value RadioGroup Request Form
    By romeu in forum 2.x Legacy Premium Help
    Replies: 2
    Last Post: Feb 25, 2012, 11:20 AM
  3. Replies: 5
    Last Post: Nov 02, 2011, 6:20 AM
  4. Replies: 0
    Last Post: Jun 08, 2009, 12:04 PM
  5. HTMLEditor potentially dangerous request....
    By NestorLeone in forum 1.x Help
    Replies: 5
    Last Post: Jan 12, 2009, 10:44 PM

Tags for this Thread

Posting Permissions