Bug Report T294579
Visible to All Users

ComboBox - AllowHtml attribute does not work and "A potentially dangerous Request.Form..." error is thrown on data submit

created 9 years ago (modified 9 years ago)

Hello.

I've been struggling with getting a field containing HTML to work in my GridView. On submit of an edit, the edit saves, but throws the error "A potentially dangerous Request.Form value was detected from the client (DXCallbackArgument="…""

On looking through other tickets, I've seen that this should be possible.

I came across the solution provided to one ticket, T142275, a project which implements this with no troubles.
With some testing, I've narrowed it down to some ComboBox type columns in my datagrid (Seperate from the HTML containing field). As soon as I change the type to MVCxGridViewColumnType.ComboBox, the exception is thrown.

Is there something I'm missing, or is it not possible to include a combobox in this curcumstance?

Comments (1)
Alessandro (DevExpress Support) 9 years ago

    Hi,

    Thank you for pointing out this behavior. I was able to reproduce it on our side. I will discuss it with the team. We will contact you once we have any results. We greatly appreciate your time and cooperation.

    Answers approved by DevExpress Support

    created 9 years ago

    We have fixed the issue described in this ticket and will include the fix in our next maintenance update. To apply this solution before the official update, request a hotfix by clicking the corresponding link for product versions you require.

    Note: Hotfixes may be unavailable for beta versions and updates that are about to be released.

      Show previous comments (3)
      Alessandro (DevExpress Support) 9 years ago

        This is the expected behavior. The UnitPrice column does not allow HTML content in my sample because the Product.UnitPrice property is not decorated with the AllowHtml attribute.

        MK MK
        Matthias Klein 9 years ago

          See attached your adjusted project where the error occurs.

          Alessandro (DevExpress Support) 9 years ago

            Hi,

            It appears that the issue occurs in your sample because your implementation violates one of the rules described in the Using Callbacks help section for a callback-aware extension:

            - The callback-aware extension has a separate partial view.
            - There is no extra HTML content in this partial view.
            - The callback action method returns the corresponding partial view.

            In your particular scenario, the partial view with the GridView extension has extra HTML markup:

            C#
            <br /> <br />  @(Html.DevExpress().ComboBox( settings => { settings.Name = "cbTestAutoCompleteComboBox"; settings.Width = 230; settings.Properties.DropDownWidth = 350; settings.Properties.DropDownStyle = DropDownStyle.DropDown; }) .GetHtml() )

            Move this markup to the main Index view to fix the issue. I hope this makes sense.

            See Also:
            KA20010 - Why can the alert message with the HTML/JavaScript/CSS content appear when using callback-aware extensions?

            Disclaimer: The information provided on DevExpress.com and affiliated web properties (including the DevExpress Support Center) is provided "as is" without warranty of any kind. Developer Express Inc disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Please refer to the DevExpress.com Website Terms of Use for more information in this regard.

            Confidential Information: Developer Express Inc does not wish to receive, will not act to procure, nor will it solicit, confidential or proprietary materials and information from you through the DevExpress Support Center or its web properties. Any and all materials or information divulged during chats, email communications, online discussions, Support Center tickets, or made available to Developer Express Inc in any manner will be deemed NOT to be confidential by Developer Express Inc. Please refer to the DevExpress.com Website Terms of Use for more information in this regard.