A potentially dangerous Request.Form value was detected: Dealing with these errors proactively, or after the fact

I'm noticing this error more and more in my error logs. I've read through the questions here talking about this error, but they don't address what I would like to do (see below).

I'm considering three options, in the order of preference:

1) When submitting a form (I use formviews almost exclusively, if that helps), if potentially dangerous characters are detected, automatically strip them out and submit.

2) When submitting a form, if potentially dangerous characters are detected, alert the user and let them fix it before trying again.

3) After the exception is generated, deal with it and alert the user.

I'm hoping one of the first two options might be able to do somewhat globally...I know for the 3rd I'd have to alter a TON of Try-Catch blocks I already have in place. Doable, but labor intensive. I'd rather be proactive about it if at all possible and avoid the exception all together.

Perhaps one approach to #1 would be to write a block of code that could loop through all text entry fields in a formview, during the insert/update event, and strip the characters out. I'm ok with that, but I'd rather not have to heavily alter all my Insert/Update events to accomplish this. Or maybe I just create a different class to do the text checking/deleting, and only insert 1 line of code in each Insert/Update event. 开发者_C百科If anyone can come up with some example code of any of these approaches that would be a help.

Thanks for any ideas or information. I'm definitely open to other solutions too; these are only the 3 that came to mind. I can say that I don't want to turn request validation off though.

I Would prefer #2 or #3. In #1 you are altering what user entered without their knowledge.

You can go ahead and hook to Submit event of the form, and iterate through the editable fields and do a sanity check.

For oprion #3, you can override the OnError methods of the Page class, and can provide a custom error message indicating the problem. (Also, you can use ELMAH or Application_Error event) to handle these errors.

I would suggest you do both client as well as Server side approach when doing validations.

A simpler solution which works great for many cases might be: only allow alphanumeric characters in your textboxes. Granted, this won't work for any large blobs of text you expect to get, but for simpler things it works like a charm.

Checking for non-alphanumeric characters existing in fields on form submission and throwing an alert dialog with some javascript is then pretty straightforward.

And of course, run the same checks on the server before you actually do anything with the submitted values.