ASP.NET 4.0 potentially dangerous Request.Form value was detected

A few days ago, while working on an ASP.NET 4.0 Web project, I got an issue. The issue was, when user enters non-encoded HTML content into a comment text box s/he got something like the following error message:

"A potentially dangerous Request.Form value was detected from the client".

This was because .NET detected something in the entered text which looked like an HTML statement. Then I got a link Request Validation, that is a feature put in place to protect your application cross site scripting attack and followed accordingly.

To disable request validation, I added the following to the existing "page" directive in that .aspx file.

ValidateRequest="false"

But I still got the same error. Later I found that, for .NET 4, we need to add requestValidationMode="2.0" to the httpRuntime configuration section of the web.config file like the following:

<httpRuntime requestValidationMode="2.0"/>

But if there is no httpRuntime section in the web.config file, then this goes inside the <system.web> section.

If anyone wants to turn off request validation globally for a user, the following line in the web.config file within <system.web> section will help:

<pages validateRequest="false" />  

Note: But always avoid the last example because there is a huge security issue. The request validation feature in ASP.NET provides a certain level of default protection against cross-site scripting (XSS) attacks.

However, we recommend that you analyze any request validation errors to determine whether existing handlers, modules, or other custom code accesses potentially unsafe HTTP inputs that could be XSS attack vectors.