Few days ago, while working on an ASP.NET 4.0 Web project, I got an issue. The issue was, when user enters unencoded HTML content into a comment text box s/he got something like the following error message:
"A potentially dangerous Request.Form value was detected from the client".
This was because .NET detected something in the entered text which looked like an HTML statement. Then I got a link Request Validation, that is a feature put in place to protect your application cross site scripting attack and followed accordingly.
To disable request validation, I added the following to the existing "page" directive in that .aspx file.
ValidateRequest="false"
But still I got the same error.
Later I found, for .NET 4, we need to add requestValidationMode="2.0" to the httpRuntime configuration section of the web.config file like the following:
<httpRuntime requestValidationMode="2.0"/>
But if there is no httpRuntime section in the web.config file, then this goes inside the <system.web> section.
If anyone wants to turn off request validation for globally user, the following line in the web.config file within <system.web> section:
<pages validateRequest="false" />
"A potentially dangerous Request.Form value was detected from the client".
This was because .NET detected something in the entered text which looked like an HTML statement. Then I got a link Request Validation, that is a feature put in place to protect your application cross site scripting attack and followed accordingly.
To disable request validation, I added the following to the existing "page" directive in that .aspx file.
ValidateRequest="false"
But still I got the same error.
Later I found, for .NET 4, we need to add requestValidationMode="2.0" to the httpRuntime configuration section of the web.config file like the following:
<httpRuntime requestValidationMode="2.0"/>
But if there is no httpRuntime section in the web.config file, then this goes inside the <system.web> section.
If anyone wants to turn off request validation for globally user, the following line in the web.config file within <system.web> section:
<pages validateRequest="false" />
No comments:
Post a Comment