Click here to Skip to main content
Click here to Skip to main content
Search within:



 
Comments & Discussions (45)

ASP.NET 4.0 potentially dangerous Request.Form value was detected

By , 6 Feb 2013
 

A few days ago, while working on an ASP.NET 4.0 Web project, I got an issue. The issue was, when user enters non-encoded HTML content into a comment text box s/he got something like the following error message:

"A potentially dangerous Request.Form value was detected from the client".

This was because .NET detected something in the entered text which looked like an HTML statement. Then I got a link Request Validation, that is a feature put in place to protect your application cross site scripting attack and followed accordingly.

To disable request validation, I added the following to the existing "page" directive in that .aspx file.

ValidateRequest="false"

But I still got the same error. Later I found that, for .NET 4, we need to add requestValidationMode="2.0" to the httpRuntime configuration section of the web.config file like the following:

<httpRuntime requestValidationMode="2.0"/>

But if there is no httpRuntime section in the web.config file, then this goes inside the <system.web> section.

If anyone wants to turn off request validation globally for a user, the following line in the web.config file within <system.web> section will help:

<pages validateRequest="false" />

Note: But always avoid the last example because there is a huge security issue. The request validation feature in ASP.NET provides a certain level of default protection against cross-site scripting (XSS) attacks.

However, we recommend that you analyze any request validation errors to determine whether existing handlers, modules, or other custom code accesses potentially unsafe HTTP inputs that could be XSS attack vectors.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

About the Author

 Monjurul Habib
Software Developer (Senior)
Bangladesh Bangladesh
Member
Software Engineer with years of successful records serving mid and large scale .NET applications. Have a wide range of experience working in domestic and international client environment. Expertise in different areas of software development life cycles and Software Architecture. I always love to learn new technologies and share with others.
 
Father of a wonderful, smart kid and passionately in love with my wife and life-partner Smile | :)

Article Top
 
Sign Up to vote   Poor Excellent
Add a reason or comment to your vote: x
Votes of 3 or less require a comment

Comments and Discussions

 
Hint: For improved responsiveness ensure Javascript is enabled and choose 'Normal' from the Layout dropdown and hit 'Update'.
You must Sign In to use this message board.
Search this forum  
    Spacing  Noise  Layout  Per page   
First Prev Next
GeneralMy vote of 5professionaldpalash2 May '13 - 3:14 
GeneralMy vote of 3memberDrTJ20668 Mar '13 - 4:23 
QuestionBest of both worldsmemberIsaac Shloss26 Dec '12 - 10:04 
AnswerRe: Best of both worldsmemberminLVwang9 Jan '13 - 16:28 
QuestionPartially dangerous solution!memberJurisfox9 Nov '12 - 1:23 
AnswerRe: Partially dangerous solution!memberMonjurul Habib9 Nov '12 - 10:06 
GeneralMy vote of 5memberMember 89619178 Nov '12 - 3:28 
GeneralRe: My vote of 5memberMonjurul Habib8 Nov '12 - 7:54 
QuestionGreat Solution!!!!!membernickT.Tnick18 Oct '12 - 22:07 
AnswerRe: Great Solution!!!!!memberMonjurul Habib19 Oct '12 - 6:37 
GeneralMy vote of 5memberAjith_joseph3 Aug '12 - 0:46 
GeneralRe: My vote of 5memberMonjurul Habib3 Aug '12 - 2:31 
GeneraltanxmemberBehzad Habibzadeh11 Jul '12 - 1:21 
GeneralRe: tanxmemberMonjurul Habib3 Aug '12 - 2:31 
QuestionhimemberNitin Kumar Chaudhary27 Jun '12 - 22:55 
AnswerRe: himemberMonjurul Habib28 Jun '12 - 20:13 
GeneralMy vote of 5memberwalkerwzy22 Jun '12 - 21:16 
GeneralRe: My vote of 5memberMonjurul Habib24 Jun '12 - 21:37 
GeneralRealy HelpfullmemberArman Erfani11 Jun '12 - 21:34 
GeneralRe: Realy HelpfullmemberMonjurul Habib14 Jun '12 - 10:05 
GeneralMy vote of 5membertechchallenger6 May '12 - 14:23 
GeneralRe: My vote of 5memberMonjurul Habib7 May '12 - 21:17 
GeneralReason for my vote of 5 Exactly my scenario, and was helpfulmemberMember 467175418 Feb '12 - 9:33 
GeneralRe: thank youmemberMonjurul Habib25 Feb '12 - 23:52 
GeneralReason for my vote of 5 excellent postmemberjpmontoya18226 Dec '11 - 7:43 
GeneralRe: thank youmemberMonjurul Habib26 Dec '11 - 8:25 
GeneralReason for my vote of 5 Run into this several times recently...memberPeterA20 Dec '11 - 10:14 
GeneralRe: thank youmemberMonjurul Habib20 Dec '11 - 19:28 
GeneralThis does not address the security aspect of setting Validat...memberdavecal20 Dec '11 - 3:47 
GeneralRe: This is merely another example of microsoft trying to 'save'...memberVerrice22 Dec '11 - 6:10 
GeneralReason for my vote of 3 While this is a workaround it doesn'...memberdavecal20 Dec '11 - 3:45 
GeneralThis will be easier with ASP.NET 4.5: http://www.asp.net/vne...memberRichard Deeming15 Dec '11 - 8:41 
GeneralRe: I was talking about ASP.NET 4.0, anyway thank youmemberMonjurul Habib18 Dec '11 - 16:48 
GeneralReason for my vote of 5 Excellent. Needs a link or an extent...memberDave Vroman14 Dec '11 - 5:23 
GeneralRe: thank youmemberMonjurul Habib14 Dec '11 - 6:46 
GeneralReason for my vote of 5 Great this help solve my problem of ...memberDiing13 Dec '11 - 17:22 
GeneralRe: thank youmemberMonjurul Habib13 Dec '11 - 18:46 
GeneralReason for my vote of 5 keep it up!memberAftab Quraishi12 Dec '11 - 19:06 
GeneralRe: thanks boss :)memberMonjurul Habib12 Dec '11 - 19:13 
GeneralReason for my vote of 5 usefulmemberHumayun Kabir Mamun10 Dec '11 - 22:53 
GeneralRe: thank youmemberMonjurul Habib10 Dec '11 - 23:38 
GeneralReason for my vote of 5 excellent work... very keen too. kee...membercisjackie10 Dec '11 - 20:19 
GeneralRe: thank youmemberMonjurul Habib10 Dec '11 - 20:19 
GeneralReason for my vote of 5 excellent post...memberMahbub_Hasan_Aiub10 Dec '11 - 6:42 
GeneralRe: thank youmemberMonjurul Habib10 Dec '11 - 6:47 
Last Visit: 31 Dec '99 - 18:00     Last Update: 18 May '13 - 2:31Refresh1

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

About Article
If anyone enters non-encoded HTML content into a text box in an ASP.NET application.
Type Tip/Trick
Licence CPOL
First Posted 9 Dec 2011
Views 97,113
Bookmarked 19 times
Top News

Math Primers for Programmers

Get the Insider News free each morning.
Related Videos
Passing Values From View To Action Using Context Object (Asp.Net MVC...
Passing Values From View To Action Using Context Object For Post Method...
Try catch block around "A potentially dangerous Request.Form"
Get TinyMCE Value from Server-Side in ASP.NET 4.0
Way To Know Which Control Has Raised PostBack
SQL Injection and Cross-Site Scripting
Submit HTML text with page validation turned on
SRE with Antixss Module
Request.Form method while redirect another page using javascript
Using Globalization and Localization in ASP.NET
ASP.NET Localization (Quick Reference)
ViewState in Dynamic Control
Security: It’s Getting Worse
Lessons on development of 64-bit C/C++ applications
Automatic style changes of ASP.NET controls as per client's screen resolution
ASP.NET's Data Storage Objects
Share a client side return value with the server side code
Declarative QueryString Parameter Binding
Calling a WebService from ASP3.0 and JavaScript
GoldMoney Online Merchant Interface
Syntax Change When Building Controls Dynamically in ASP.NET 2.0
Handy Form Functions
Permalink | Advertise | Privacy | Mobile
Web02 | 2.6.130516.1 | Last Updated 6 Feb 2013
Article Copyright 2011 by Monjurul Habib
Everything else Copyright © CodeProject, 1999-2013
Terms of Use
Layout: fixed | fluid