My company security policy dictates that I cannot turn off the ValidateRequest attribute for our forms website.
I am getting error reports from the site for potentially dangerous Request.Form input.
I can see from all of the errors, that the danger is being picked up from foreign characters (such as, german, norwegein characters with umlauts) in the address fields.
I'm a little confused as to how these characters are even becoming html encoded, because the dangerous character combination is like å which is the ö character.
A potentially dangerous Request.Form value was detected from the client (ctl00$ContentPlaceHolder1$tbxDeliveryAddress="...last As B & #229;smosjyen 4 Mo...")
Obviously this is not malicious, and i need to allow customers to enter their addresses, including the umlauts. I wondered if the customer was unknowingly doing this by copy and paste maybe, so i set up an experiment with two labels and a text box, one label encoded some text with an umlaut in it, and the other label just printed the umlaut (i checked the html source on the rendered page, and this was behaving) i then copied and pasted each label in turn into a text box and submitted the form, but neither errored.
So i'm confused as to how this input is coming about from the customer. I find it hard to believe they would physically type å into a text box when typing their address. As I don't really know how the foreign keyboards work, can anyone shed any light on this?
How can i stop this non-malicious text being caught by this feature in .net without turning out the ValidateRequest attribute? It's really a pain for customers trying to innocently enter their delivery addresses.
EDIT
I have noticed, on the error message, that the text is actually coming from a multi-line textbox field, which generates the textarea html control. I wonder if this particular control is rendering the contents with html encoded text? I say this because the end user can't actually edit directly in this field, it is populated automatically, with a modal pop up to edit the address on individual lines. Does the multiline textbox automatically html encode it's contents?