Reputation: 3098
PageRequestManagerServerErrorException due to Textbox Content
I'm having a very weird problem. It took me a while to track down. Basically I'm getting a Microsoft JScript runtime Error popup when I load data from the database into a bunch of TextBoxes.
It's getting thrown after a Sys.Observer.RaiseEvent(this, "endRequest", eventArgs) I've seen that this error can be ignored, but after it's thrown no postbacks inside my update panels trigger. Buttons don't work, Listboxes with AutoPostbacks don't fire.
So eventually I track it down to one text box. If I don't populate it everything works fine.
The textbos was getting populated with:
MO-SU 0700-0230 <<SEE GEN INFO>> <<HRS T-1 ONLY>>
My first thought was there must be an escape character in there or something that's messing with the update panel. I'm going to remove the "<<" and ">>", but I was just wondering if anyone can explain why this occurred.
Upvotes: 2
Views: 131
Answers (2)
Reputation: 6496
due to << & >> this your partial post is considered as XSS attack by the server. Since you load your textboxes with string containing < and > it will be posted next time to server and since <script> tags also start/end with < >
characters Server checks for XSS sensitive characters and denies the request.
it is always good to post the data like this using HTTPUtility.HtmlEncode And HTTPUtility.HtmlDecode method provided with asp.net while posting data and loading data in Server controls.
see following example:-
string DecHtml = HttpUtility.HtmlDecode(value1);
string EncHtml = HttpUtility.HtmlEncode(value2);
Find More info about HTMLEncode the input If you want to get idea of XSS you should follow this
Fortunately though, we can turn off the validation within the page directive of the ASPX:
<%@ Page Language="C#" MasterPageFile="~/Site.Master"
AutoEventWireup="true" CodeBehind="webpage.aspx.cs"
Inherits="Web.webpage" Title="webpageSite" ValidateRequest="false" %>
Alternatively, request validation can be turned off across the entire site within the web.config:
<pages validateRequest="false" />
for .NET 4.0 you can no longer turn it off at the page level whilst running in .NET 4 request validation mode, To be able to disable validation we need to ask the web.config to regress back to 2.0 validation mode:
<httpRuntime requestValidationMode="2.0" />
Frankly, this is simply not a smart idea unless there is a really good reason why you’d want to remove this safety net from every single page in the site. So the best approach IMHO is to use encoding and decoding whenever possible. Find more here
Upvotes: 2
Reputation: 382
Change Page setting ValidateRequestMode but then you should be check all user inputs manually to prevent attacks.
Upvotes: 1
Related Questions
- Textbox does not exist in current Context
- Problem with Textboxes control in asp.net web application. Didn't get text from textboxes for update
- textbox does not accept a value in asp.net
- Sys.WebForms.PageRequestManagerServerErrorException
- Textbox does not exist in the current context
- getting the content from textbox in asp.net using c#
- TextBoxes in UpdatePanel are causing PageRequestManagerServerErrorException
- problem with asp textbox control
- ASP.NET textbox issue
- text box giving problems on ASP.Net page