ASP.NET Request Validation has detected a potentially dangerous client input value

This exception occurs when the server meet content containing un-encoded HTML. This is action for preventing script atacks, for example <script> alert("blabla")</script> can be executed. In this way other harmful code can be executed. The request validation feature of ASP.NET doesn't allow this to be done.
To disable request validation on a page you must set the validateRequest attribute of the Page directive to false. The developer has to ensure that the content is properly encoded.
One more way to disable it is by web.config. You have to set
<configuration>
<system.web>
<pages validaterequest="false">
</pages>
</system.web>
</configuration>

The HTML content can be encoded/decoded using the Server.HtmlEncode(string)/Server.HtmlDecode(string) functions.

2 comments:

  1. Offshore Software DevelopmentSeptember 22, 2007 at 5:12 AM

    This comment has been removed by a blog administrator.

    ReplyDelete
  2. Gage PateApril 15, 2013 at 9:53 PM

    The request validation function of ASP.NET which, by standard, stops the handling of unencoded HTML material posted to the hosting server.

    ReplyDelete

Subscribe to: Post Comments (Atom)