A potentially dangerous Request.Form value was detected from the client (spanContent="... <span><p>
I think you are attacking it from the wrong angle by trying to encode all posted data.Note that a "<" could also come from other outside sources, like a database field, a configuration, a file, a feed and so on. Furthermore, "<" is not inherently dangerous, its only dangerous in a specific context: when writing unencoded strings to HTML output (because of XSS). In other contexts different substrings are dangerous, e.g. if you write an user-provided URL into a link, the substring "javascript:" may be dangerous. The single quote character on the other hand is dangerous when interpolating strings in SQL queries, but perfectly safe if it is a part of a name submitted from a form or read from a database field.
validateRequest="false"
<httpRuntimerequestValidationMode="2.0" />
No comments:
Post a Comment