"A potentially dangerous Request.Form value was detected from the client" error using TINY MCE for CMS

When I put value in textbox then its throught this error. I am making Content Management System.

A potentially dangerous Request.Form value wa开发者_StackOverflow社区s 
detected from the client (elm1="<p>ABC</p>").

when page go to server then it's through error.

Please assist.

The .NET framework is throwing up an error because it detected something in the entered text which looks like an HTML or Javascript statement. The text doesn't need to contain valid HTML, just anything with opening and closing angled brackets ("<...>").

The reason behind the error is as a security precaution. Developers need to be aware that users might try to inject HTML (or even a script) into a text box which may affect how the form is rendered. For further details see www.asp.net/learn/whitepapers/request-validation/.

Solutions:

To disable request validation on a page add the following directive to the existing "page" directive in the file (you will need to switch to the HTML view for this):

ValidateRequest="false"

for example if you already have:

<%@ Page Language="vb" AutoEventWireup="false" Codebehind="MyForm.aspx.vb" 
    Inherits="Proj.MyForm"%>

then this should become:

<%@ Page Language="vb" AutoEventWireup="false" Codebehind="MyForm.aspx.vb"
    Inherits="Proj.MyForm" ValidateRequest="false"%>

Alternately, you can globally turn request validation off (but in which case be sure to implement item two below). To globally turn request validation off add the following to your web.config file:

<pages validateRequest="false" />

this should go within the <system.web> section. This will turn off request validation for every page in your application.

Source

Disabling page validation is not the way to go.

HTML encode your contents and then convert back.

Add the following keys to your MCE global settings in your web config.

<globalSettings>
  ...
  <add key="encoding" value="xml" />
  <add key="entity_encoding" value="raw" />
  <add key="entities" value="160,nbsp,38,amp,34,quot,162,cent,8364,euro,163,pound,165,yen,169,copy,174,reg,8482,trade,8240,permil,60,lt,62,gt,8804,le,8805,ge,176,deg,8722,minus" />
</globalSettings>

Then in your TextChanged Event

protected void TextArea1_TextChanged(object sender, EventArgs e)
{
    TextArea1.Value = Server.HtmlDecode(TextArea1.Value);
}

<pages validateRequest="false">
        <controls>
            <add tagPrefix="asp" namespace="System.Web.UI" assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
            <add tagPrefix="asp" namespace="System.Web.UI.WebControls" assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
        </controls>
    </pages>