Handle angular bracket in ASP.Net

Question

Currently when trying to submit transaction that contain dropdown that has text containg angular bracket as e.g. "<abcd>", I'm getting 500 internal server error since ValidateRequest=true by default and throws unhandled exception before it reached to page handler since its Cross site scripting problem.

Is there a way to intercept and modify request object in HttpModule or Glabal.asax since I know Request object is readonly.

I've been breaking head for almost three days but not able to get a concrete solution. What would be the best solution to handle these kind of scenarios. Also I don't want to encode it in client side.

Answer 1

Encode the value in the listbox :

<asp:ListItem>&lt;abcd&gt;</asp:ListItem>

[Edit] I realize my solution does not apply. The content is probably sent encoded by the browser, and is render encoded too by the drop down list (if you use standard databinding). I think your only option is to disable the validation of the request.

This implies you have to very careful on user input. To be simple, Encode every user input with HttpUtility.HtmlEncode(txtXX.Text);.

More on this in the Script Exploits Overview page of MSDN.

Answer 2

Use HttpUtility.HtmlEncode and HttpUtility.HtmlDecode to solve this problem..

you can put html encoded text in the control or use these methods as per your requirement( Between Events)

Follow these SO thread...
HttpUtility.HtmlEncode to validate user entries
w3c validation error in asp.net

If you can disable validation then follow these
asp.net: Invalid postback or callback argument

Check MSDN for Script Exploits