A POTENTIALLY DANGEROUS REQUEST.FORM VALUE WAS DETECTED FROM THE CLIENT

Error / Cause:

In .NET we have Request validation, which is a feature to prevent the server from accepting content from the client side containing un-encoded HTML. It helps to prevent client script-injection attacks submitted to a server for malicious intent. Even thought the intension of such feature is good, it can also cause some issues for us. For instance, I am trying to pass xml data in an input field and the Request validation is preventing the page from proceeding to the server.

Solution:

  • When using up to .NET 2
    • Two options:
      • On the page you would like to run your un-encoded HTML, on the aspx page at the top (line 1 along with Page Language=”C#” ….) add:¬†ValidateRequest="false"
      • Otherwise, if you would like to switch validation off globally for all pages, in your web.config under the system.web section add:
        <pages validateRequest="false" />
  • When using newer version of .NET
    • First do the either of the about to turn off validation.
    • In your web.config, find the HttpRuntime and set¬†requestValidationMode to 2.0 as follows:
      <httpRuntime requestValidationMode="2.0"/>

 

This should do the trick!