I have a text input to accept HTML input by user and got the following error:

A potentially dangerous Request.Form value was detected from the client (SilkUIFramework_wt31$block$wtMainContent$wt9="<Test>")

I figured it is because of the angle brackets. What is the best way to allow HTML input and avoid the error?

Stanley

Stanley Mok wrote:

I have a text input to accept HTML input by user and got the following error:

A potentially dangerous Request.Form value was detected from the client (SilkUIFramework_wt31$block$wtMainContent$wt9="<Test>")

I figured it is because of the angle brackets. What is the best way to allow HTML input and avoid the error?

Stanley

The input is in a Pop-up Editor, once this error occurred, the Cancel action also triggers this error even the only action is Popup_Editor_Close.


Hello Stanley

I can't reproduce your error on Chrome.
I can enter "HTML" in an input, both in a normal page as well as in a PopUp.

https://eduardojauch.outsystemscloud.com/Tests/Home.aspx?_ts=636390174364844237

And I don't see a reason to it not work.
Can you provide any other detail on something different you are doing?

Cheers,
Eduardo Jauch

After cloned the module and remove other screens and entities, the input works and the error does not happen. 

When manually create a similar screen in the original module, the error happens. Now I have no idea what to check next.

Any idea where the error message comes from?

Hi Stanley,

I've done some search and it seems to be an ASP validation (IIS) to avoid XSS attacks.

http://codingstill.com/2013/01/avoiding-the-a-potentially-dangerous-request-form-value-was-detected/

But I don't know why it works on my OML, for example.

I don't have access here to my computer where I tested it, but you could check a couple of things.

First, what type of method has the button? Submit? Ajax Submit? Navigate?
Second, the fields are inside an OutSystems Form? In my example they aren't.
Third, if in the original module, if you remove first the header, and than the footer of the test page, it still gives you an error? 

You could try to disable the form field validation like in the link, or try to escape the content with jQuery as it is suggested here: https://stackoverflow.com/questions/24816/escaping-html-strings-with-jquery

I'll try to dig more into this issue tomorrow, to see if I can find something in OutSystems about this :)

Cheers,
Eduardo Jauch

The layout is LayoutPopup, so there is no header and footer. It is an Edit Record, no Form and the button is Ajax Submit.

I will try disable the validation.


Ok... I tested with a Submit. No Edit Record, only fields in the layout.
Could be something in the layout?

What is "bothering" me is the fact that you cloned the module and erased everything and the page test worked, but if you use it in the original, it does not work...

I compared with other PopupEdit screens but found no difference and the other popups do not have this error.


Stanley Mok wrote:

I compared with other PopupEdit screens but found no difference and the other popups do not have this error.


Hum...

The other popups are "identical"? They also have inputs to enter HTML code?
If you enter HTML in a TEXT input in the other popups you don't have this error? 

If you call the popup from a different page (one that calls a popup you don't have the error), you still get the error or it starts to work?

It is consistent with all popups now - does not matter which screen they are called, all the popups will not accept angle brackets in textboxes.


Can you provide a small module where this behaviour is observed?
If you can, I can take a look on it tomorrow, to try to understand what is that is causing this.

Maybe the Template you are using?

Hi Stanley,

Can I ask you something?
What is your stack? Java? And version?

I think I see someone complaining about problems with XSS messages in JAVA stack, in a version prior to 9.1 and the solution was to update to version 9.1 (or above).

I made many tests and none had caused problems... But I'm testing in a P10 stack .NET (personal).

Maybe this is the case...

Cheers,
Eduardo Jauch

I am using .NET, Service Studio version is 9.1609.0

The same error does not happen when I create a brand new module from scratch using the same template.

Now the interesting thing: I cloned the module again and going to remove things one by one to see what may contribute to this error, and the cloned module just works without any modification. The only change is the module name.

I am not ready to replace the original module with the cloned one yet.

Ok.

This is strange.
If a freshly cloned module work, I can think of only three reasons: 

a) The original module is corrupted (I saw this before, but with single screens).
b) There are a problem with references that are being fixed in the cloned module (pointed to newer versions).
c) A bug in the Service Studio version.

The b seems the most probable, but the first is also possible. The less probable but still possible is the c...

Cheers,
Eduardo Jauch

Stanley Mok wrote:

I am not ready to replace the original module with the cloned one yet.

why not?

simply clone rename to the "old" name and publish it?


J. wrote:

Stanley Mok wrote:

I am not ready to replace the original module with the cloned one yet.

why not?

simply clone rename to the "old" name and publish it?


Without knowing the reason behind, this maybe a temporary fix. I need to test other things are still working before the switch, and assume the module is somehow corrupted.

Eduardo, I did try refresh references in the old module but it did not help, but thanks for you help and suggestions.

Stanley

Solution

The original module is replaced by the cloned one after extensive testing. Still do not know what went wrong, just assume it was corrupted.

Thanks.

Solution