A POTENTIALLY DANGEROUS REQUEST.FORM VALUE WAS DETECTED FROM THE CLIENT

Error / Cause:

In .NET we have Request validation, which is a feature to prevent the server from accepting content from the client side containing un-encoded HTML. It helps to prevent client script-injection attacks submitted to a server for malicious intent. Even thought the intension of such feature is good, it can also cause some issues for us. For instance, I am trying to pass xml data in an input field and the Request validation is preventing the page from proceeding to the server.

Solution:

  • When using up to .NET 2
    • Two options:
      • On the page you would like to run your un-encoded HTML, on the aspx page at the top (line 1 along with Page Language=”C#” ….) add: ValidateRequest="false"
      • Otherwise, if you would like to switch validation off globally for all pages, in your web.config under the system.web section add:
        <pages validateRequest="false" />
  • When using newer version of .NET
    • First do the either of the about to turn off validation.
    • In your web.config, find the HttpRuntime and set requestValidationMode to 2.0 as follows:
      <httpRuntime requestValidationMode="2.0"/>

 

This should do the trick!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s