I have created a website in ASP.NET 3.5 that takes some input in text format and saves it in a SQL Server 2005 database.
The database field is varcahar(50)
.
But I can't do it if data in text box contains special symbols like <,>,#,@,.
It generates a client scri开发者_如何学Gopt error showing security error.
For scripting I am using JavaScript.
As @John Nolan writes, this most likely is the result of ASP.NET's built in request validation.
You have to turn off the built in validation and roll your own:
You can turn off the validation at page level:
<%@ Page validateRequest="false" %>
or at application level (in web.config):
<configuration>
<system.web>
<pages validateRequest="false" />
</system.web>
</configuration>
Don't forget to encode all output from your application, expecially after turning off the request validation.
Check out this article on the subject.
In order to protect your application you have to follow common Web application security guidelines and among others encode all your output that was generated directly or indirectly by users to avoid Cross Site Scripting (XSS). Microsoft has provided an Anti XSS library to simplify this. OWASP has an XSS prevention cheat sheet.
This sounds like it doesn't like the <> characters. Try turning off validaterequest in your page directive. WARNING: This will allow malicious content through though. It is probably best to encode your input.
精彩评论