Update

I’ve updated my solution for this issue to be more robust and easier to follow. Please read the latest post instead.

TinyMCE is a great little WYSIWYG JavaScript text editor that we use quite often inside administration pages. It’s lightweight and just works out of the box.

Well, except for the little issue of HTML encoding its output. When you submit an ASP.NET form that contains the TinyMCE text editor, you get this lovely message:

A potentially dangerous Request.Form value was detected from the client (ctl00$ContentBody$TextBoxBodyHtml="<p>Test!</p>").

Which is good, because that’s ASP.NET doing some checking and helping to protect your site from XSS attacks.

The standard solution you see floating around the web is to turn off Validation for the page entirely. This gets more hairy when you’re talking about ASP.NET 4.0 – you end up having to force the entire web application to use the ASP.NET 2.0 validation model.

I’ve never liked this method, and I doubt anyone who has used it in the past has felt great about it either. Validation is there for a reason.

The real solution is to use the built-in output encoding option on the TinyMCE control, and then HtmlDecode the output yourself on the server-side (if you want to).

<tinymce:TextArea id="TextBoxBodyHtml" encoding="xml" runat="server" />
public string BodyHtml
{
    get { return HttpUtility.HtmlDecode(TextBoxBodyHtml.Value); }
    set { TextBoxBodyHtml.Value = value; }
}

So, with the encoding option set to XML, TinyMCE posts back the already-encoded HTML chunk, and ASP.NET’s XSS validation doesn’t get tripped. Everyone’s happy!

According to the TinyMCE manual:

This option is set to nothing by default and is therefore disabled.

I’d love it if they changed that around and encoded everything by default.

posted on Thursday, July 22, 2010 3:09 PM | Filed Under [ Development Microsoft ]

Comments

Gravatar
# re: TinyMCE and “A potentially dangerous Request.Form value was detected” (Wichukorn @ 11/15/2010 5:32 AM)

Thank you very much.
 
Gravatar
# Very important for ASP.Net 4.0 Users (Ray K. Ragan @ 1/7/2011 5:46 AM)

I wanted to say thank you. I'm using ASP.Net 4.0 and it just didn't sit well with me to turn off the protections .Net has for us built-in. Your solution worked perfectly.

Just a point of clarification. You must add the XML declaration in the initialization. It took me few minutes of trial and error to sort this out.

Thanks again!

Ray K. Ragan
 
Gravatar
# re: TinyMCE and “A potentially dangerous Request.Form value was detected” (Alejandro PArodi @ 2/10/2011 12:40 PM)

Very Good post.
 
Gravatar
# re: TinyMCE and “A potentially dangerous Request.Form value was detected” (Wael @ 3/29/2011 2:14 AM)

when i have tried adding this line:<tinymce:TextArea id="TextBoxBodyHtml" encoding="xml" runat="server" />

it did not work as Asp cant indetify the tinymce tag..i do only have the tinymce js,css files..do i need any other files to add in order to make the Asp identify the tinymce tag?
 
Gravatar
# re: TinyMCE and “A potentially dangerous Request.Form value was detected” (Soung @ 4/4/2011 4:20 PM)

I am so confuse. Where should I put all these code?
Please tell me. I want to deal with it urgently.
Thank
 
Gravatar
# re: TinyMCE and “A potentially dangerous Request.Form value was detected” (Tim French @ 4/4/2011 5:57 PM)

Thanx for the info. This was killing me until I found your fix.
 
Gravatar
# re: TinyMCE and “A potentially dangerous Request.Form value was detected” (Fran Hoey @ 4/19/2011 1:20 AM)

Fantastic thank you. I was dreading turning off validation.

One small amendment, if you are using Html.TextAreaFor and want to add the TinyMCE via script you can add the encoding via the init function call:
tinyMCE.init({ mode: "textareas", encoding: "xml" });
 
Gravatar
# re: TinyMCE and “A potentially dangerous Request.Form value was detected” (bobby @ 4/24/2011 3:22 PM)

to those that are confused, on your initialization, add "encoding:'xml'
then when you are retrieving the value of the textarea, use this
HttpUtility.HtmlDecode(TextBoxBodyHtml.Value);

and to the author thanks a lot!
 
Gravatar
# re: TinyMCE and “A potentially dangerous Request.Form value was detected” (Venkat Rao @ 6/10/2011 11:01 PM)

Very GOOD article.Saved me a lot of time


I used the below script to get it work

<script type="text/javascript">
tinyMCE.init({
mode: "textareas",
theme: "simple",
encoding: "xml"
});
</script>
 
Gravatar
# re: TinyMCE and “A potentially dangerous Request.Form value was detected” (Kalyan @ 6/26/2011 6:17 PM)

Did anybody experience an issue with Single quotes so far?

I had the same issue and adding the "encoding : 'xml'" property in the init fixed the issue until i added any word with a single quote in it like "doesn't" for example. I get the error -

A potentially dangerous Request.Form value was detected from the client (ctl00$mainContentPlaceHolder$addPost$postContent="...stem doesn&#39;t break.&lt;b...").

What's weird is that it doesn't encode the value as &quot instead encodes it in a numeric value.

Any ideas?
 
Gravatar
# re: TinyMCE and “A potentially dangerous Request.Form value was detected” (Median @ 8/18/2011 9:53 PM)

Thanks for the solution, but this just does not solve the problem. When I try to retrieve the content, i see the html code:

content

 
Gravatar
# re: TinyMCE and “A potentially dangerous Request.Form value was detected” (Still not working @ 8/20/2011 5:14 AM)

Sorry this method still doesn't work. Even though you can now post back with no errors, once you get do a form submissions and the server posts back, the textarea now has "

Test!

" in the TinyMCE editor instead of just the words "Test!". So unforatunely you can only post back the page once and move on to a different page, which is not what most people will do. So this solution also fails.
 
Gravatar
# re: TinyMCE and “A potentially dangerous Request.Form value was detected” (Thomas @ 8/24/2011 10:46 AM)

Excellent - many thanks for this, can't believe was unable to find this on the TinyMCE site, it's the top issue I've always had when using this plugin.
 
Gravatar
# re: TinyMCE and “A potentially dangerous Request.Form value was detected” (Eddie @ 8/25/2011 2:24 PM)

>> Did anybody experience an issue with Single quotes so far?

That's what I'm struggling with right now. Did you happen to find a solution for it? I guess I could just force a replace of all quotes to &quot before it freaks out.

Bleh...

Great post, by the way! Saved a ton of time and gray hairs!
 
Gravatar
# re: TinyMCE and “A potentially dangerous Request.Form value was detected” (Eddie @ 8/25/2011 3:09 PM)

Since TinyMCE encodes single quotes into &#39, and ASP.NET validation treats that as a security vulnerability, if we replace all instances of &#39 with the HTML friendly &amp, it seems to work like a charm. I added this event handler into the TinyMCE.init to get it to work:

tinyMCE.init({
// ...
setup: function (ed) {
ed.onSaveContent.add(function (ed, o) {
o.content = o.content.replace(/&#39/g, "&apos");
});
}
});
 
Gravatar
# Thanks OP and Eddie! (Ricky @ 9/20/2011 7:40 AM)

THANK YOU original poster, and EDDIE for your single-quotes solution. This helped immensely :-D
 
Gravatar
# re: TinyMCE and “A potentially dangerous Request.Form value was detected” (Tara @ 10/5/2011 6:45 AM)

Great solutions, everyone! I got it working great with both the init of xml and the single quote fix. Btw, to retrieve the value of the TinyMCE field, you can also use something like:

Dim oDAL As New DALHelper

TextAreaFieldName.Text = Server.HtmlDecode(oDAL.NZ(dtAnn.Rows(0)("TextAreaDescription"), ""))

Thanks everyone!!
 
Gravatar
# re: TinyMCE and “A potentially dangerous Request.Form value was detected” (Matthew @ 10/6/2011 12:14 AM)

Hello,

Your solution is very good because it's solve this problem without disabling the validation. However now I have an other problem. I cannot save some characters like, <, >, even greek letters and maybe more... Everything is saved as UTF-8 in the database and everything is shown the same way on the front-end of the site.

Is there a solution for this too?

Thanks anyway
 
Gravatar
# re: TinyMCE and “A potentially dangerous Request.Form value was detected” (Rodion @ 12/21/2011 4:07 AM)

Thank you very much. Exactly what i need.
 
Gravatar
# re: TinyMCE and “A potentially dangerous Request.Form value was detected” (Chris Lienert @ 1/27/2012 9:37 PM)

The problem with primes can be solved by converting them. In this case, I'm converting to left and right single quotes but you could just as easily replace with an unencoded prime.
tinyMCE.init({
...
save_callback: function(element_id, html, body){
html = html.replace(/&#39;(\S)/g,"&lsquo;$1").replace(/&#39;/g,"&rsquo;");
return html;
}
});
 
Gravatar
# re: TinyMCE and “A potentially dangerous Request.Form value was detected” (Sílvia Mur @ 8/14/2012 12:40 AM)

AWESOME!! Thanks so much, I was going crazy with this sh**! I can't believe it was so simple after all. Cheers! ;-)
 
Gravatar
# re: TinyMCE and “A potentially dangerous Request.Form value was detected” (Hamid @ 9/24/2012 2:22 AM)

I encountered by this error when use some font such as ( 'arial black' , 'Andala Mono' , ... ) and any font who name is separate.

in HTML View of TextContnet it's like this :

<span style="font-family: 'arial black', 'avant garde';">
This is some text for test&nbsp;
</span>



attention to font-family is 'arial black'

and now in title error message is:

A potentially dangerous Request.Form value was detected from the client (ctl00$ContentPlaceHolder1$txtContent="...t-family: &#39;arial black&#39...").

attention to the name &#39;arial black&#39;

Thanks ...
 
Gravatar
# re: TinyMCE and “A potentially dangerous Request.Form value was detected” (Zed @ 9/27/2012 3:42 AM)

Doesn't work with jQuery ajax.
 
Gravatar
# re: TinyMCE and “A potentially dangerous Request.Form value was detected” (Javier Regusci @ 3/10/2013 6:52 AM)

Great Post! Thanks.
 
Gravatar
# re: TinyMCE and “A potentially dangerous Request.Form value was detected” (Bikram Singh @ 4/5/2013 9:45 PM)

tinyMCE.init({
// ...
setup: function (ed) {
ed.onSaveContent.add(function (ed, o) {
o.content = o.content.replace(/&#39/g, "&apos");
});
}
});

Thanks Eddie, your solution is working fine for me.
thanks...

 
Gravatar
# re: TinyMCE and “A potentially dangerous Request.Form value was detected” (DrHamiedYemen @ 6/11/2014 1:17 AM)

Worked fine ....
Thank you

Post Comment

Title *
Name *
Email
Url
Comment *  
Remember me
Please add 1 and 1 and type the answer here:

Search

Site Sections

Recent Posts

Archives

Post Categories

WHS Add-In Tutorial

WHS Blogs

WHS Development