Ramco Ramco

Ramco Ramco

  • 442
  • 3.4k
  • 516.6k

Error - A potentially dangerous Request.Form value was detected

Aug 28 2024 2:20 AM

Hi

  I am getting error on this line 

ScriptManager.RegisterStartupScript(this, this.GetType(), "ShowModal", "$('#modal_form_horizontal').modal('show');", true);

A potentially dangerous Request.Form value was detected from the client (hfErrorMessage="...- allowed.</br>").

Description: ASP.NET has detected data in the request that is potentially dangerous because it might include HTML markup or script. The data might represent an attempt to compromise the security of your application, such as a cross-site scripting attack. If this type of input is appropriate in your application, you can include code in a web page to explicitly allow it. 

Exception Details: System.Web.HtpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (hfErrorMessage="...- allowed.</br>").

        protected void btnSubmit_Click(object sender, EventArgs e)
        {
            string errMessage = "";

            if (String.IsNullOrWhiteSpace(txtBankName.Text))
            {
                errMessage += "Bank Name is required and cannot Be empty.</br>";
            }

            if (errMessage == "")
            {
                try
                {
                    if (hdfId.Value == "0")
                    {
                        using (SqlConnection con = new SqlConnection(Common.CommonFunction.cnn_Live))
                        {
                            SqlCommand cmd = new SqlCommand("Sp_Bank", con);
                            cmd.CommandType = CommandType.StoredProcedure;

                            cmd.Parameters.AddWithValue("@Action", "I");
                            cmd.Parameters.AddWithValue("@BankCode", SqlDbType.VarChar).Value = txtBankCode.Text.ToUpper();
                            cmd.Parameters.AddWithValue("@BankName", SqlDbType.VarChar).Value = txtBankName.Text.ToUpper();
                            SqlParameter successParam = cmd.Parameters.Add("@Success", SqlDbType.Bit);
                            successParam.Direction = ParameterDirection.Output;
                            con.Open();

                            cmd.ExecuteNonQuery();
                            bool success = (bool)successParam.Value;
                            if (success)
                            {
                                string message = Common.CommonFunction.recordInsertedSucessfully;
                                ShowMessage("Success", message, "Success");
                            }
                            else
                            {
                                ShowMessage("Oops...", success.ToString(), "error");
                            }
                        }
                    }

                }
                catch (Exception ex)
                {
                    ShowMessage("Oops...", Common.CommonFunction.ErrorMessage, "error");
                }
            }
            else
            {
                if (errMessage == "")
                {
                    ShowMessage("Oops...", Common.CommonFunction.ErrorMessage, "error");
                }
                else
                {
                    hfErrorMessage.Value = errMessage;
                    ScriptManager.RegisterStartupScript(this, this.GetType(), "ShowModal", "$('#modal_form_horizontal').modal('show');", true);

                }
            }
        }

Thanks


Answers (3)