Strategy for auto encoding text inputs?

To prevent my application from crashing with the error "A potentially dangerous Request.Form value was detected...", I just turned page validation off. I want to revisit this and solve it correctly.

Is there a good strategy for this? If people are entering '<' and '>', I think the only way to save their data is to encode it via Javacript. I have tried catching it in the code-behind, but it becomes too late. I am thinking of inheritin开发者_如何学Cg the textbox and auto encode/decode the input with client scripts. I also have to think of all the angle brackets that are already saved in my database.

Any suggestions or experience with this?

I get from your answer that you don't want your client to send you "dangerous" content, so its desirable to leave the page validation turned on, as a last line of defense, instead of turning it off and using Server.HtmlEncode on each user input value (you might miss one and it is a lot of work).

I would go for a javascript solution, for example you could use a library such as jQuery, and hook into the submit events of the forms, and tidy the input before submitting. Much cleaner than creating your own derived textbox.

For the users without javascript, or that try to "hack" your little script, sc#!w them, they will reach your last line of defense, and get an error.

It's best to think of the built-in page validation as a safety device that isn't applicable to all cases. There are more than a few times when it is completely impossible to do something with it turned on. In these cases we turn it off, and deal with the validation ourselves.

The most obvious case is that sometimes we actually do want to send big chunks of HTML to the server. Of course, doing so still has to be made secure, but "oh, that looks like a big chunk of HTML! throw a security exception!" obviously isn't the correct way to do that.

So, in these cases it's perfectly sensible to turn off page-validation and add your own server-side. It does mean that you have to think about just how this input will be used with a bit more scrutiny than before. Follow through the path of every datum input (not just those where you expect to see characters like <, and ensure that either it will never be sent back to the client unescaped, or that it is thoroughly inspected to guarantee safety.

You can escape dangerous chars before posting the data. Like this:

string = escape(string);

and then on the server side:

var stringVal = Server.UrlDecode(Request["string"]);

Something like that.

Have you considered using ,

Server.HtmlEncode(input) 

There is no real need to do it in the client end using javascript. You can easily do it in the server side using the above technique.

And possibly be a duplicate of this question /BB