Store HTML in cookie

**shaoen01** · 01-18-2006, 09:10 AM

I tried storing html information such as:

Code:

<p>Test123</p>

Tried saving the code above in a cookie using javascript but cant seem to work. I had this error:
A potentially dangerous Request.Cookies value was detected from the client (desc="<STRONG>Test </STRON...").

Is there any other way i can store such html information and use it in another web page? Thanks

**funkdaddu** · 01-18-2006, 09:19 AM

Why not just store "Test123" and then add the HTML wherever you're outputting the data? If you want to change the formatting later on, you can't because the user's cookie is formatted differently.

**shaoen01** · 01-18-2006, 09:29 AM

If user adds in tags like "<p>", how do i escape such characters? I have this editor tool that allows them to do formatting such as bold, underline, etc. And i would like it to remember the value if they go to another page and come back again. Both the html tags and value "Test123" is important to me.

**funkdaddu** · 01-18-2006, 09:46 PM

You can URLencode the data, then decode it... see here for a demo:
http://www.albionresearch.com/misc/urlencode.php

**Minaki** · 01-19-2006, 05:13 AM

The error you're seeing is caused by the .NET Framework. Thats one of the good things about .NET - it warns you of some types of potentially malicios user input by default. In this case, it is telling you that someone is trying to post HTML code to your page.

The reason this is not allowed is because a user could inject some HTML in there (for example, a bit of javascript redirecting to their own site) and then if you write this data back to clients at any point, the javascript will be executed and users will be redirected to another site (or shown popups, or whatever the malicious user inserted)

If you know that there's no feasible way for this to happen, you can turn off this validation very easily, although it's not reccomended.
<@ Page language="VB" ValidateRequest="false" %>
Or (definitly not reccomended) yo ucan turn it off for the entire site in web.config by adding
<pages ValidateRequest="false" />
into your web.config file.

Instead, what you should do is use something like BBCode and only allow the tags you want, such as [p], [b], [i], etc. that when converted to HTML can't really do any damage at all.