CODEWITHSUNDEEP
c#asp.netsql-serverwebforms
Randel Ramirez
Randel Ramirez

Reputation: 3761

How do I insert html tags/script to sql as a text?

I'm trying to work on a 'practice' app wherein the textbox value will be inserted to the database.

What happen is that when I insert the textbox.text value.

Ex. text = 

           <script>alert('Hello')</script>

I get an error: A potentially dangerous Request.Form value was detected from the client (TextBox1="alert('XSS')...").

I'm already using sql parameters so values like ' " /// \\ are not a problem as of now.

Upvotes: 0

Views: 4657

Answers (4)

Victor
Victor

Reputation: 372

You can just insert the tag broken in a concatenate string. like in:

Insert into table values('<'+'h2'+'>'+'Another One'+'<'+'/'+'h2'+'>')

Upvotes: 0

Hans Kesting
Hans Kesting

Reputation: 39339

It's not a (potential) sql problem that asp.net is warning about. When you accept that value and later show it in your page without encoding, then that unwanted script will fire.

At this moment it will show a harmless alert, but if you allow any user to type in these values then who knows what will happen.

Upvotes: 1

ToinoBiclas
ToinoBiclas

Reputation: 262

If is only for testing purposes you may disallow ASP.NET validator so it will stop looking for HTML/XML tags that could be potentially dangerous. To do that, set ValidateRequest to false in your aspx page. 

<%@ Page Title="" Language="C#" ValidateRequest="false"

This is not recommended for production environments but in your case can do the trick. More info in the following MSDN Link

Upvotes: 1

Kapil Khandelwal
Kapil Khandelwal

Reputation: 16144

Set ValidateRequest="false" for your page, for allowing html.

At page level:

<%@ Page Language="c#"  ValidateRequest="false" AutoEventWireup="false" CodeBehind="TestPage.aspx.cs" Inherits="TestPage" %>

Also, for ASP.NET 4.0, you need to add the following to your web.config:

<httpRuntime requestValidationMode="2.0" />

Upvotes: 2

Related Questions