Asp.net automatically blocks any input that resembles html code

Question

I use asp.net / visual studio2013 / c# to create a web application.

I have an input textfield. When I type <div> (or any nonsensical html-like tags such as <abc>) and do a postback, the postback never occurs and I get a javascript error message:

Sys.WebForms.PageRequestManagerServerErrorException:
A potentially dangerous Request.Form value was detected from the client 
(ctl00$ctl00$MainSection$DescriptionTextBox="<div>").

This error is generated by a big javascript file that automatically gets inserted in my page when I build the application. (in other words, I have no control over this javascript)

This is great for preventing hackers to inject any code in my code, but what really bothers me is that no postback actually occurs, and no error messages or anything are shown.

Imagine a random user trying to type <for my best friend> in the textbox. From the user's perspective, the website is broken because nothing happens.

My question is, how can I inform the user what the problem is (namely, you cannot type that text) when the problem arises?

Answer 1

Sure it does for security reasons.

Here is an explanation and work-around:

Rick Strahl's blog

I would not recommend swtiching it completely off on the whole site, it is there because it is a major security feature you really want to keep.

It's far better to use javascript client-side just before the submit and revert it back-to-normal when the page is loaded.

Just as an example, TinyMCE has an onSubmit() event method for this purpose:

You can hook into it and have a one-liner replacing < and > with their HTML-friendly counterparts < and >.

For other controls there should be equal mechanisms.