[CLOSED] 从客户端(he_info="<div><font face="tah...")中检测到有潜在危险的 Request.Form 值。

**hdsoso** · Mar 20, 2014, 10:29 AM

<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="WebForm23.aspx.cs" Inherits="extdemo.test.WebForm23" %>

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
    <title></title>
</head>
<body>
    <form id="form1" runat="server">
      <ext:ResourceManager ID="ResourceManager1" runat="server" SourceFormatting="True" RenderScripts="CDN" RenderStyles="CDN"></ext:ResourceManager>
        <ext:Viewport ID="Viewport1" runat="server" Layout="FitLayout">
            <Items>
                <ext:FormPanel ID="FormPanel1" runat="server" Layout="AnchorLayout" Title="企业简介">
                    <Items>
                    
                        <ext:HtmlEditor  LabelWidth="75" ID="he_info" runat="server" Margin="4" FieldLabel="企业简介" AnchorVertical="-100" AnchorHorizontal="100%"></ext:HtmlEditor>
                    </Items>
                    <Buttons>
                        <ext:Button ID="Button1" runat="server" Text="确定" Icon="Disk">
                            <DirectEvents>
                                <Click OnEvent="SaveComp"></Click>
                            </DirectEvents>
                        </ext:Button>
                    </Buttons>
                </ext:FormPanel>

            </Items>
        </ext:Viewport>
    </form>
</body>
</html>

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using Ext.Net;

namespace extdemo.test
{
    public partial class WebForm23 : System.Web.UI.Page
    {
        protected void Page_Load(object sender, EventArgs e)
        {
            if (!X.IsAjaxRequest)
            {
                he_info.Text = Server.HtmlDecode("&lt;div&gt;&lt;font face=&quot;tahoma, arial, verdana, sans-serif&quot;&gt;&amp;nbsp; &amp;nbsp; &amp;nbsp; 苏州市吴中区木渎镇乐图模流分析公司，注册成立于2009年3月 '&quot;&lt;/font&gt;&lt;/div&gt;");
            }
        }

        protected void SaveComp(object sender, DirectEventArgs e)
        {
            var a = Server.HtmlEncode(he_info.Text);
            he_info.Text = Server.HtmlDecode(a);
            X.Msg.Alert("info", "success").Show();
        }
    }
}

when page is load, then i click "确定" button , then show error :

从客户端(he_info="<div><font face="tah...")中检测到有潜在危险的 Request.Form 值。

说明: ASP.NET 在请求中检测到包含潜在危险的数据，因为它可能包括 HTML 标记或脚本。该数据可能表示存在危及应用程序安全的尝试，如跨站点脚本攻击。如果此类型的输入适用于您的应用程序，则可包括明确允许的网页中的代码。有关详细信息，请参阅 http://go.microsoft.com/fwlink/?LinkID=212874。 

异常详细信息: System.Web.HttpRequestValidationException: 从客户端(he_info="<div><font face="tah...")中检测到有潜在危险的 Request.Form 值。

BUT when i simplely add a blank space to the htmleditor or edit it a little , the no error. why?

**Daniil** · Mar 20, 2014, 2:07 PM

Hi @hdsoso,

We are investigating. Here is a bit simplified example.

Example

<%@ Page Language="C#" %>

<%@ Register Assembly="Ext.Net" Namespace="Ext.Net" TagPrefix="ext" %>

<script runat="server">
    protected void Page_Load(object sender, EventArgs e)
    {
        if (!X.IsAjaxRequest)
        {
            this.HtmlEditor1.Text = "<div>Test</div>";
        }
    }

    protected void TestDirectEventHandler(object sender, DirectEventArgs e)
    {
        X.Msg.Alert("DirectEvent", this.HtmlEditor1.Text).Show();
    }
</script>

<!DOCTYPE html>
<html>
<head runat="server">
    <title>Ext.NET v2 Example</title>
</head>
<body>
    <form runat="server">
        <ext:ResourceManager runat="server" />

        <ext:HtmlEditor ID="HtmlEditor1" runat="server" />

        <ext:Button runat="server" Text="Test" OnDirectClick="TestDirectEventHandler" />
    </form>
</body>
</html>

**hdsoso** · Mar 21, 2014, 1:01 AM

your exampe faces the same issue.
please see the video.
http://screencast.com/t/OO1qfDiObsH2

**geoffrey.mcgill** · Mar 21, 2014, 1:11 AM

The following thread is related to this subject:

http://forums.ext.net/showthread.php...est-Form-value

Example

<%@ Page Language="C#" ValidateRequest="false" %>

**Daniil** · Mar 21, 2014, 3:25 AM

Originally Posted by hdsoso

your exampe faces the same issue.

Yes, it is just a standalone and simplified sample to reproduce the same problem.

**hdsoso** · Mar 21, 2014, 8:59 AM

Originally Posted by geoffrey.mcgill

The following thread is related to this subject:

http://forums.ext.net/showthread.php...est-Form-value

Example

<%@ Page Language="C#" ValidateRequest="false" %>

i add this to page tag, but no work.

**Daniil** · Mar 21, 2014, 9:20 AM

There should this setting in Web.config.

<system.web>
  <httpRuntime requestValidationMode="2.0" />
</system.web>

**Daniil** · Mar 24, 2014, 4:17 AM

Originally Posted by Daniil

Hi @hdsoso,

We are investigating. Here is a bit simplified example.

Example

<%@ Page Language="C#" %>

<%@ Register Assembly="Ext.Net" Namespace="Ext.Net" TagPrefix="ext" %>

<script runat="server">
    protected void Page_Load(object sender, EventArgs e)
    {
        if (!X.IsAjaxRequest)
        {
            this.HtmlEditor1.Text = "<div>Test</div>";
        }
    }

    protected void TestDirectEventHandler(object sender, DirectEventArgs e)
    {
        X.Msg.Alert("DirectEvent", this.HtmlEditor1.Text).Show();
    }
</script>

<!DOCTYPE html>
<html>
<head runat="server">
    <title>Ext.NET v2 Example</title>
</head>
<body>
    <form runat="server">
        <ext:ResourceManager runat="server" />

        <ext:HtmlEditor ID="HtmlEditor1" runat="server" />

        <ext:Button runat="server" Text="Test" OnDirectClick="TestDirectEventHandler" />
    </form>
</body>
</html>

It has been fixed in the revision #5727. It will go to the v2.5.1 release.

**macroe** · Mar 25, 2014, 6:44 AM

兄弟啊，遇到个发中文标题的人真不容易啊！

Hi, man! Met here to say Chinese people was not easy!

**Daniil** · Mar 25, 2014, 6:51 AM

Hi @macroe,

Could you, please, translate to English for others?

Thread: [CLOSED] 从客户端(he_info="<div><font face="tah...")中检测到有潜在危险的 Request.Form 值。

Thread Tools

Search Thread

Display

[CLOSED] 从客户端(he_info="<div><font face="tah...")中检测到有潜在危险的 Request.Form 值。

Similar Threads

[OPEN] [#450] A Panel's Frame="false" and UI="Primary" causes wrong rendering of Tools

[CLOSED] [#244] Grid cell editing, and combobox "blur" event NOT fired when expected upon "tab" key

[CLOSED] Ext.net v2 Beta release: Panel collapsed with CollapseMode="Mini" and Split="true"

[CLOSED] GridPanel: ServerSide Code Equivalent for "getSelectionModel().selectRow(0)" and "getView().focusRow(0)"

use multicombo , asp.net findcontrol后台如何获得listitem选中的值

Posting Permissions

Sitemap

Downloads

Resources

Thread: [CLOSED] 从客户端(he_info="<div><font face="tah...")中检测到有潜在危险的 Request.Form 值。

[CLOSED] 从客户端(he_info="<div><font face="tah...")中检测到有潜在危险的 Request.Form 值。

Similar Threads

Posting Permissions

Sitemap

Downloads

Resources

Stay connected with us