A potentially dangerous Request.Form value was detected from the client – ASP.NET 4.0

If you happen to upgrade your .NET Framework to use the .NET 4.0 CLR's version of ASP.NET, then it helps keeping the ASP.NET 4.0 breaking changes document handy.

After the upgrade, most of the users using the Rich-text editors or textboxes to submit HTML data, encounter the following error “Exception type: System.Web.HttpRequestValidationException Exception message: A potentially dangerous Request.Form value was detected from the client

Now we know about the request validation feature in ASP.NET that shields cross-site scripting (XSS) attacks to a certain level. However this level of security changes in ASP.NET 4.0 making it stricter in terms of request validation.

As given in the documentation “In ASP.NET 4, by default, request validation is enabled for all requests, because it is enabled before theBeginRequest phase of an HTTP request. As a result, request validation applies to requests for all ASP.NET resources, not just .aspx page requests. This includes requests such as Web service calls and custom HTTP handlers. Request validation is also active when custom HTTP modules are reading the contents of an HTTP request

To fix this error, open your web.config and add the following setting inside <system.web> as shown here

<system.web>
<httpRuntime requestValidationMode="2.0" />
... rest of your attributes come here

The <httpRuntime requestValidationMode="2.0" /> disables validation for request data. Although this isn’t particularly a very good fix as it compromises security, I believe it’s the only quick hack available unless you want to float your own custom request validator.



Will you give this article a +1 ? Thanks in advance


About The Author

Suprotim Agarwal
Suprotim Agarwal, ASP.NET Architecture MVP (Microsoft Most Valuable Professional) works as an Architect Consultant and provides consultancy on how to design and develop Web applications.

Suprotim is also the founder and primary contributor to DevCurry, DotNetCurry and SQLServerCurry. He is the Editor of a Developer Magazine called DNC Magazine. He has also written two EBooks 51 Recipes using jQuery with ASP.NET Controls. and The Absolutely Awesome jQuery CookBook

Follow him on twitter @suprotimagarwal

2 comments:

Michelle Sollicito said...

Just want you to know that there are a LOT of people across the web looking for this solution but I only found it by accident!!! Thank you so much! It took me hours to find this!

Michelle Sollicito said...

Just want you to know that there are a LOT of people across the web looking for this solution but I only found it by accident!!! Thank you so much! It took me hours to find this!