Dave Burke - Freelance .NET Developer specializing in Online Communities

A freelance .NET Developer

Potentially harmful code posted... UPDATE

I broke-out the freetextbox.dll control from Scott Watermasysk's .TEXT framework for another project of mine.  (Is my understanding correct that this control was written on Linux?  It's a very sweet control!)  In testing I kept getting an error message "Potentially harmful code was posted ...." or something to that effect.  I could NOT figure it out.  dotnet.newsgroups via Google to the rescue once again: 

Adding <B><PAGES validateRequest="false" />in the web.config did the trick. 

Update: Great suggestion from G. Andrew Duthie as a better security practice: turning off Page Validation at the PAGE level and not in the web.config along with filtering out everything except what you want to accept.  Also good references from Victor Garcia Aprea on validation.  See comments.

Posted: Aug 30 2003, 12:03 AM by daveburke | with 4 comment(s)
Filed under:

Comments

Shannon J Hager said:

the free textbox is available at http://revjon.com
# August 30, 2003 12:37 AM

Kris said:

Check also http://www.fredck.com/fckeditor/

Way more features then FTB
# August 30, 2003 2:01 AM

G. Andrew Duthie said:

As with the process identity setting, changing this default in web.config (or worse, machine.config) is a bad idea. I wrote about this a while back at http://weblogs.asp.net/gad/posts/6496.aspx.

Basically, the problem with what you're doing is that if someone later adds a page to that application that accepts text input, and does not actively filter potentially harmful HTML and/or script input, your application becomes vulnerable to cross-site scripting attacks.

A better practice is to turn off request validation at the *page* level, but only *after* you've implemented filtering on the input fields (including the querystring, etc.). Remember that you should always filter *out* everything but what you want to accept, rather than attempting to filter out only the bad stuff. Writing Secure Code, 2E., by Michael Howard offers great advice on this subject.
# August 30, 2003 1:05 PM

Victor Garcia Aprea said:


If you're planning to turn off the built-in validation you should definitively write your own validation.

Here some detailed info on ValidateRequest:

http://weblogs.asp.net/vga/posts/6329.aspx
http://weblogs.asp.net/vga/posts/7170.aspx
# August 30, 2003 8:17 PM
Leave a Comment

(required) 

(required) 

(optional)

(required)