Potentially dangerous request.querystring values were detected from the client (textarea= "<p>wewqe</p>").

People who have used rich text editors should have encountered this kind of problem, that is, when I save the text on the rich text, there are 2 ways, a

Kind of is plain text information, such as: "I wrote a blog today," and the other is pure HTML format, such as:<p> "I wrote a blog today" </p>.

Sometimes we have to facilitate the processing of text information may save the edited content into the HTML format to the database, so that we can facilitate the subsequent operations, such as the original some of the style will not change, but you save string string format to get the text will have to be rearranged, So obviously the HTML format is very practical.

But here's the problem. We have a validation problem with data stored in HTML format, as follows:

Refer to many case studies on the Internet, take asp.net as an example, have done:

Validaterequest= "false"

There is also this: Modify the Web.config file:

<configuration>
    <system.web>
        <pages validaterequest= "false"/>
    </system.web>
</configuration>

Web.config inside, add

<system.web>
    
 

All this ...



But I found that there was no egg to use.







1. First I use the MVC pattern, maybe the environment is not the same effect does not seem to work



2. Project documents big Something is not change can change, not to mention 4.0 or 4.5 of the program to 2.0 is to take a little risk



3. Not safe.



My understanding of the insecurity is that the existence of this anomaly (problem/bug) is by no means accidental, in the words of philosophy is called existence is reasonable, plainly, the reason is that the potential hazard value should be an intelligent detection of development tools, as mentioned above, in HTML format text message "<p > "Today I wrote a blog" </p> "Is this, which contains special characters, such as" <> "angle brackets. Such a value may be fatal to the database at some point, and it is well known that SQL injection attacks, usually in the process of adding data will be validated to prevent this, but the text editor to deal with more text problems will come.



Speaking of which, you might think of a solution, since an injection attack is avoided by regular validation when it is added.



Because the text editor is not marked with HML when entering values, only when the value of the time you know what those tags are, so here with regular and so the validation is unreasonable, the combination of the advantages and disadvantages of the above methods, I changed a way to achieve data access, is to get the string encoding and decoding processing.



Coding:





Sample string to store in the database:





Decoding:





Code decoding Simplification Sample:

var html= "<p> wrote a long blog today </p>";/the string to encode

var htmlescape=escape (HTML);//Encoding

----stored in the database----

----Remove----from the database Htmlsql receive with variable

var htmlunescape=unescape (htmlsql);//decoding

---then alert window test, same as the original value, but the first problem solved ... Although write a lot, but solve the problem is also 2 lines of code, the above focus on ideas.





Compilation of sakura,2015.7.8 number