I've got a .net form (c#), with a few textboxes and a simple button control that runs a save procedure on the backend that saves whatever is in the textboxes to the database. This is for an internal system with only trusted users using it. There is NO validation currently on any of the boxes.
The system works, but if any opening or closing tag characters ("<" or ">") are entered into any textbox on the page, the button automatically is disabled. You click on it and nothing happens (I went ahead and through a breakpoint on the save button to see if its even being fired at all, and no dice)
I'm assuming this is some sort of built-in mechanism in the webform to maybe prevent against sql injection attacks or something? Is there a way to disable it?
-- editing to add relevant code. Note that I'm not going into depth as to what the save button does, because its not firing in the first place. With no "<" or ">" in the textbox (txtText_Box1) it works fine with no issues.
<b>Title</b><br />
<asp:TextBox ID="txtTitle_Box1" runat="server" Width="600px"></asp:TextBox><br /><br />
<b>Text</b><br />
<asp:TextBox ID="txtText_Box1" runat="server" Width="600px" TextMode="MultiLine" Rows="4"></asp:TextBox><br /><br />
<b>Link To</b><br />
<asp:TextBox ID="txtLink_Box1" runat="server" Width="600px" /><br /><br />
<b>Link Text (always ends with >>)</b><br />
<asp:TextBox ID="txtLinkText_Box1" runat="server" Width="600px" /><br /><br />
<b>Image</b><br />
<asp:Image id="imgBox4" runat="server" /><br /><br />
<br /><br />
<asp:Button ID="btnSave" runat="server" Text="Save Changes" CssClass="cssButton1" OnClick="btnSave_Click" />
protected void btnSave_Click(object sender, EventArgs args)
{
string sTitle = string.Empty;
string sText = string.Empty;
string sURL = string.Empty;
string sLinkText = string.Empty;
sTitle = txtTitle_Box1.Text.ToString();
sText = txtText_Box1.Text.ToString();
sURL = txtLink_Box1.Text.ToString();
sLinkText = txtLinkText_Box1.Text.ToString();
....
}
After alot of trial and error, I narrowed it down to only one character which wonks the button. "<", every other character on the keyboard including the ones most prevalent in sql injection attacks work fine. I didn't really "fix" the problem, but I implemented a workaround and put in an escape character. "::" instead of "<". Seems extremely silly, and I still have no idea why this is happening, but it does get me past my issue. If anyone has a better idea I'll certainly ask to have this answer canceled and give full credit to you.