A potentially dangerous Request.Form


Sponsored Links

73058_New Scooba® 230 Floor Washing Robot + Free Shipping!

 

System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client.

Here we look briefly at the error message: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client..

<httpRuntime requestValidationMode="4.0" />

This setting can be found in the web.config. This has changed since .NET 2.0 where Request Validation was used just for .NET web pages, but with version 4.0 of the .NET Framework then any HTTP Request will trigger the event validation. The event validation is used to help protect against Cross-Site Scripting attacks (XSS) so it's best not to switch this off. So if you try sending something which will trigger this validation such as some HTML content to be sent with the HTTP Request, then the validation could be triggered and you could get the error message: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client.

To revert back to the older version, you can set this in the web.config:


<httpRuntime requestValidationMode="2.0" />


However, it's not really advised to switch this off. You could move the troublesome component to a sub-directory and set the web.config in just that directory, but ideally you need to make sure your protected. Perhaps you could validate the data before it comes to the web server, so you don't have to disable this at all, or some other way to avoid switching this protection off whilst keeping the functionality? Perhaps some kind of encoding?

References

Thanks to Microsoft for the reference information at http://msdn.microsoft.com/en-us/library/system.web.configuration.httpruntimesection.requestvalidationmode.aspx and http://www.asp.net/whitepapers/aspnet4/breaking-changes#0.1__Toc256770147