Careful with that FreeTextBox

August 13, 2007

8 comments

I came in need of an ASP.NET text box control that allows the user to enter rich text. Quickly enough I found FreeTextBox, an awesome control that is widely used in several well-known projects (such as Community Server, which hosts the blog you’re currently reading). And, as it name suggests, the basic version of the control (which is more than enough for my needs) is free.

So I started playing around with it a bit, throwing it in a web-page, editing some HTML and posting the page. Boom.

…A potentially dangerous Request.Form value was detected from
the client…

Well, of course. ASP.NET was smart enough to detect that some HTML was posted in the form, and it thought to itself “Hmm, that could also be a script. Shouldn’t let that happen.” And it was right, too. Still, I do want to let my users edit HTML, don’t I?

If you google that error, you will get one of two solutions:

  1. Set validateRequest=”false” on the <pages> element in your web.config. This, will in turn cancel all request validation in all the pages in your application.
  2. Set ValidateRequest=”false” on the <%Page…%> directive in the page you’re using your FreeTextBox. This will cancel request validation only for the specific page.

The first suggestion is a big no-no, as it can seriously harm security on your web-site, allowing malicious users to inject scripts to your sites, and cause some serious damage (unless, of course, you validate all of your input yourself with regular expressions, which most people don’t).

The second suggestion is better, as it exposes you to danger only in the page you have the FreeTextBox. There you’ll have to be extra careful. First, if you have the HTML-mode enabled, allowing the user to enter raw HTML, the user can just put in <script> tags and post the form. So you might think that turning off HTML-mode, allowing only the design mode which creates HTML for you, you’re off the hook.

Well, that won’t be very smart of you. I showed here how any client-side validation turns to dust with a simple tool as the FireBug debugger for Firefox. With the same technique, you could go to the console view of Firebug, and hit the following:

-document.getElementById(‘FreeTextBox1’).value = ‘<script> alert(‘hi!’); </script>’;

-document.forms[0].submit();

So any method that tries to prevent the user to enter malicious data on the client is rather worthless. Luckily, FreeTextBox has a property StripAllScripting that removes all the scripts on the server-side, so no client-side hacks can help you there. I am not 100% sure this is a bullet-proof solution, but it seems to work well.

You should also be extra careful with any other fields you have on the same page that are not FreeTextBoxes. You don’t get any request validation for them neither, so you should remember to validate them with regular-expressions, or simply Server.HtmlEncode their ass. Why couldn’t we HTML-Encode our FreeTextBox input as well, you might ask? Well, that would kind of ruin the point of letting our users enter rich HTML content, wouldn’t it? If we let them edit text with HTML, we would probably want to display their text as rich text, and not as a series of <htmlTags/>.

FreeTextBox really is a great control, just be careful not to leave huge security holes in your application while you’re using it.

Add comment
facebook linkedin twitter email

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*

8 comments

  1. Meidan AlonAugust 16, 2007 ב 21:30

    Eugene.

    Reply
  2. Jason LeeDecember 4, 2009 ב 20:06

    http://www.richtextbox.com/

    I am using this. It works perfectly for me.

    Reply
  3. Alex WilliamsonDecember 13, 2010 ב 18:53

    Well I’m just going to throw in the obviousness of “never rely upon data you don’t control”, so never ever trust a user. Always clean and strip code at the server side.

    I’d use CKEditor and use the HtmlEncode config option as your workaround.

    Reply
  4. NikeetaMarch 19, 2013 ב 9:16

    One question.. How to use it in MVC application???

    Reply
  5. ViekSeedsApril 21, 2013 ב 13:04

    Nike Unengaged TR Becoming 2 Safeguard capitals of textile materials in strip with seasonal requirements, enhances the warmth and durability, and cogitative bodily, in [url=http://www.nikeskoroutlet.se/]nike skor outlet[/url]
    bumbling visibility when elucidation and DWR (sturdy inundate unruly) coating to achieve breathability while, moderate ease up on feet dry in saturated weather. Shoe more northerly bump on the by nature of the bend foam enhances foot support and stability.

    Complexion ratio of the Nike Unrestricted shoe Channel work provides stretchable like literal feet handle and sturdiness of multi-direction movement while [url=http://www.airmaxsverige.se/nike-air-max-97-hyperfuse-c-48/]nike air max 97[/url]
    retaining cope and shockproof column inherited in training shoes. Lightweight Phylite midsole can deliver and masses of durability, which increments the benefit exponentially outsole, which significantly reduces the weight of the shoe.

    Tail and foot rubber grooves made of environmentally clubby materials, succour to increase its [url=http://www.nikeskoroutlet.se/nike-air-max-97-hyperfuse-c-52/]nike air max 97[/url]
    multi-directional travelling on all kinds of route surfaces.

    Reply