Still there are applications developed using asp.net webform. In your application when a user enters html tags for cross site scripting or load malicious script to inject into your site in your forms and submit you will get the following error

A potentially dangerous Request.Form value was detected from the client

Eventhough asp.net handles the html tags submission but it throws the above error and it looks ugly.

We can use a custom validator along with the input controls and prevent the form being submitted before. In this snippet, i am using only 4 html tag varieties, you can use any combination you want.

SNIPPET
Your .aspx page – no codebehind




<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title></title>
    <script type="text/javascript">
        function validateText(sender, args) {
            var ctrlId = document.getElementById("<%=TextBox1.ClientID%>");
            var str = ctrlId.value
            str = str.toLowerCase()
            if (str.includes("<") || str.includes("src=") || str.includes("<a") || str.includes("href=") || str.includes("<html")) {
                args.IsValid = false;
            }
            else {
                args.IsValid = true;
            }


        }
    </script>
</head>
<body>
    <form id="form1" runat="server">
        <div>
            <asp:TextBox ID="TextBox1" runat="server"></asp:TextBox>
            <br />
            <asp:CustomValidator ID="CustomValidator1" runat="server" ErrorMessage="Invalid Characters" ControlToValidate="TextBox1" Display="Dynamic" ClientValidationFunction="validateText"></asp:CustomValidator>
            <br />
            <asp:Button ID="Button1" runat="server" Text="Submit" />
        </div>
    </form>
</body>
</html>