When entering the text:
Em 19 de maio de 2015 16:48, <asdfsadf> escreveu: and submitting the form I got the following error:
A potentially dangerous Request.Form value was detected from the client (ctl00$ContentPlaceHolder1$tbObservacao="…the Pedrosa < asdfsadf
The text was identified as HTML and dangerous by Asp.Net which prevented the form from being submitted, it seems to me the problem is in this
<asdfsadf> . I've added
ValidateRequest = "false" to my Aspx page which disables this validation, but I was left with a bit of a backlash on the effects this can have.
My questions would be:
- Is there any risk of submitting a form with HTML ?
- If yes which ones?
ASP.NET, by default, validates that there are HTML elements and other special characters in the data sent by the server. The reason for this is to protect against vulnerabilities like HTML Injections and Script Injections.
HTML injections can have many bad consequences, including accessing users' cookies, allowing the attacker to impersonate another user, or modifying the page content seen by victims.
An HTML injection can lead to the exploitation of a more serious vulnerability which is XSS (Cross Site Scripting) . An XSS attack occurs when an attacker manages to use a web application to send malicious scripts to other users. The user's browser has no way of knowing that the script is unreliable and so it executes it. By assuming that the script came from a trusted source, this script is able to access cookies, session keys, and other sensitive information from the user who accesses that site.
All these injections can be avoided by validating the content sent in the request and ASP.NET already does this for you when the
ValidateRequest setting is turned on. Pay attention to the fact that this configuration can be done by page, by Web.Config (for the entire application) and even by control (
Read more about it at:
About HTML Injection and XSS:
An ASP.NET-oriented view of injection types: