A POTENTIALLY DANGEROUS REQUEST.FORM VALUE WAS DETECTED FROM THE CLIENT

Error / Cause:

In .NET we have Request validation, which is a feature to prevent the server from accepting content from the client side containing un-encoded HTML. It helps to prevent client script-injection attacks submitted to a server for malicious intent. Even thought the intension of such feature is good, it can also cause some issues for us. For instance, I am trying to pass xml data in an input field and the Request validation is preventing the page from proceeding to the server.

Solution:

  • When using up to .NET 2
    • Two options:
      • On the page you would like to run your un-encoded HTML, on the aspx page at the top (line 1 along with Page Language=”C#” ….) add: ValidateRequest="false"
      • Otherwise, if you would like to switch validation off globally for all pages, in your web.config under the system.web section add:
        <pages validateRequest="false" />
  • When using newer version of .NET
    • First do the either of the about to turn off validation.
    • In your web.config, find the HttpRuntime and set requestValidationMode to 2.0 as follows:
      <httpRuntime requestValidationMode="2.0"/>

 

This should do the trick!

Advertisements

Forcing SSL on ASP.NET from http to https and vice-versa

SSL

Lets assume we have a shopping chart web app, to create a safe environment for your buyers you need to run the payment page on https. So here is what we will need to do….

In your master page (assuming you have one), read through and paste the following code in the page load or page init:

protected void Page_Load(object sender, EventArgs e)
{

//if on https, secure = true;

bool secure = HttpContext.Current.Request.IsSecureConnection;

//Path of the page which requires SSL (https) – CHANGE TO OWN PATH

string paymentPagePath = “/PaymentGateway/default.aspx”;

// Server name or localhost if running locally

string serverName = Request.ServerVariables[“SERVER_NAME”];

// Path of the current page
string scriptName = Request.ServerVariables[“SCRIPT_NAME”];

// Query String if any
string queryString = Request.ServerVariables[“QUERY_STRING”];

// If we are on the page which requires SSL
if (absolutePath.Contains(paymentPagePath))
{

// If it is not currently using https
if (!secure)
{

if (Request.ServerVariables.Get(“HTTP_CLUSTER_HTTPS”) == null)
{

string xredir__, xqstr__;

// Build redirect Link using https 

xredir__ = “https://&#8221; + serverName;
xredir__ += scriptName;
xqstr__ = queryString;

if (xqstr__ != “”)
xredir__ = xredir__ + “?” + xqstr__;

// Redirect to same page using https

Response.Redirect(xredir__);

}

}

}

 // else if not of page which requires SSL

// if page is using SSL, we need to redirect to http
else if (secure)
{

string xredir__, xqstr__;

xredir__ = “http://&#8221; + serverName;
xredir__ += scriptName;
xqstr__ = queryString;

if (xqstr__ != “”)
xredir__ = xredir__ + “?” + xqstr__;

// Redirect to same page using http and not https

Response.Redirect(xredir__);

}

}