Thursday, August 30, 2012

ASP.NET 4.0 potentially dangerous Request.Form value was detected

Few days ago, while working on an ASP.NET 4.0 Web project, I got an issue. The issue was, when user enters unencoded HTML content into a comment text box s/he got something like the following error message:
"A potentially dangerous Request.Form value was detected from the client".


This was because .NET detected something in the entered text which looked like an HTML statement. Then I got a link Request Validation, that is a feature put in place to protect your application cross site scripting attack and followed accordingly.

To disable request validation, I added the following to the existing "page" directive in that .aspx file.

ValidateRequest="false"


But still I got the same error.

Later I found, for .NET 4, we need to add requestValidationMode="2.0" to the httpRuntime configuration section of the web.config file like the following:

<httpRuntime requestValidationMode="2.0"/>


But if there is no httpRuntime section in the web.config file, then this goes inside the <system.web> section.

If anyone wants to turn off request validation for globally user, the following line in the web.config file within <system.web> section:

<pages validateRequest="false" /> 


No comments:

Post a Comment