I have a membertype which uses a Simple Texteditor in one of his fields.
When I edit this field using the bold option of the simple texteditor and I save the member, I get an error:
"System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (ctl00$body$member_frame="<strong>Openingsuren...")."
As NanoDK is saying you can disable the validate page so <html> elements are allowed as the content. However this also opens op for XSS attacks, which isn't ideal. I must admit that I'm no security guru and do not know much about the thread level but something tells me it's not the way to go dependent on the project scale etc.
Yeah, you have a point there. Just thought it's worth mentioning since I think many people that just needs to get a quick work around tend to trust that everything is fine when they have implemented the above solution. I have been guilty of this untill I someone told me it was a bad practice (frontend-wise), so just posting so other people gets to know this if they look at this post in the future.
But as you say, for backend purposes there probably is no risk :)
Simple editor in members section does not work
I have a membertype which uses a Simple Texteditor in one of his fields.
When I edit this field using the bold option of the simple texteditor and I save the member, I get an error:
"System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (ctl00$body$member_frame="<strong>Openingsuren...")."
Any help would be welcome!
grts,
Kim
Put ValidateRequest="false" in EditMember.aspx (\umbraco\members\EditMember.aspx) header.
Like this:
<%@ Page language="c#" Codebehind="EditMember.aspx.cs" MasterPageFile="../masterpages/umbracoPage.Master" AutoEventWireup="True" Inherits="umbraco.cms.presentation.members.EditMember" ValidateRequest="false" %>
that turns off the validateing on that page only and not the whole site.
hope it help's :)
Edit: This is only a solution if the member can't access and edit from the frontend
Hi Kim and NanoDK
As NanoDK is saying you can disable the validate page so <html> elements are allowed as the content. However this also opens op for XSS attacks, which isn't ideal. I must admit that I'm no security guru and do not know much about the thread level but something tells me it's not the way to go dependent on the project scale etc.
You can read a bit more about a better solution in here: http://devtacular.com/articles/gkonrad/allowing-html-formatted-user-input-in-aspnet/
/Jan
well if it's only backend it will be ok.. but no way if it's for members (frontend)
Hi NanoDK
Yeah, you have a point there. Just thought it's worth mentioning since I think many people that just needs to get a quick work around tend to trust that everything is fine when they have implemented the above solution. I have been guilty of this untill I someone told me it was a bad practice (frontend-wise), so just posting so other people gets to know this if they look at this post in the future.
But as you say, for backend purposes there probably is no risk :)
/Jan
Hey Jan
And you are right, never turn off validating if it's frontend.
is working on a reply...