Is there any risk of submitting form with HTML?

6

When I put the text: Em 19 de maio de 2015 16:48, <asdfsadf> escreveu: and sending the form I was given the following error:

  

A potentially dangerous Request.Form value was detected from the   client (ctl00 $ ContentPlaceHolder1 $ tbObservation="... or Pedrosa

The text was identified as HTML and dangerous by Asp.Net which prevented the form from being submitted, which seems to me the problem is in this <asdfsadf> . I added ValidateRequest = "false" to my Aspx page which disables this validation, but I'm left with one foot behind in the effects it might cause.

My doubts would be:

  • Is there any risk of submitting a form with HTML ?
  • If yes what?
  • asked by anonymous 27.05.2015 / 15:13

    1 answer

    6

    ASP.NET, by default, validates whether there are HTML elements and other special characters in the data sent by the server. The reason for this is protection against vulnerabilities such as HTML Injections and Script Injections.

    Injections of HTML can have many bad consequences, among them access to user cookies, allowing the attacker to pass through another user or the modification of the page content seen by the victims.

    An HTML injection can lead to exploiting a more serious vulnerability that is XSS (Cross Site Scripting) . An XSS attack occurs when the attacker is able to use a Web application to send malicious scripts to other users. The user's browser has no way of knowing that the script is unreliable and so it runs it. Because the script comes from a trusted source, this script can access cookies, session keys, and other sensitive information from the user accessing that site.

    All of these injections can be avoided by validating the content submitted in the request, and ASP.NET already does this for you when the ValidateRequest setting is turned on. Note that this setting can be done per page, by Web.Config (for entire application) and even by control ( ValidateRequestMode="Disabled|Enabled|Inherit" ).

    Read more on:

    • About HTML Injection and XSS:

      link

      link

    • An ASP.NET-centric view of injection types:

      link

    • Setting options for ValidateRequest :

      link

    27.05.2015 / 15:39