22

I have this piece of code to handle the HttpRequestValidationException in my global.asax.cs file.

protected void Application_Error(object sender, EventArgs e)
{
    var context = HttpContext.Current;
    var exception = context.Server.GetLastError();
    if (exception is HttpRequestValidationException)
    {
        Response.Clear();
        Response.StatusCode = 200;
        Response.Write(@"<html><head></head><body>hello</body></html>");
        Response.End();
        return;
    }
}

If I debug my webapplication, it works perfect. But when i put it on our production-server, the server ignores it and generate the "a potentially dangerous request.form value was detected from the client" - error page. I don't know what happens exactly... If anybody knows what the problem is, or what i do wrong..?

Also I don't want to set the validaterequest on false in the web.config.

The server uses IIS7.5, And I'm using asp.net 3.5.

Thanks, Bruno

bruno
  • 1,830
  • 2
  • 22
  • 36

2 Answers2

18

Ok, i found it my self. I must clear my last error.

protected void Application_Error(object sender, EventArgs e)
{
    var context = HttpContext.Current;
    var exception = context.Server.GetLastError();
    if (exception is HttpRequestValidationException)
    {
        context.Server.ClearError();    // Here is the new line.
        Response.Clear();
        Response.StatusCode = 200;
        Response.Write(@"<html><head></head><body>hello</body></html>");
        Response.End();
        return;
    }
}
Pang
  • 9,564
  • 146
  • 81
  • 122
bruno
  • 1,830
  • 2
  • 22
  • 36
  • 5
    I don't think you need the "context" var. It works just fine as "Server.GetLastError()" and "Server.ClearError()". – WildJoe Dec 12 '11 at 21:02
  • 1
    Response.End() throws an exception by design. Instead use this: `HttpContext.Current.ApplicationInstance.CompleteRequest`. Take a look at this for the explanation: https://support.microsoft.com/en-us/help/312629/prb-threadabortexception-occurs-if-you-use-response-end-response-redir – Kamran Mar 06 '18 at 14:16
  • With the comments from @WildJoe and Kamran (sorry cannot notify both, thanks SO), this looks to be a very viable and useful way to override the default error handling in Web API. +1. – joeschmoe54321 Aug 20 '20 at 20:43
10

Another way that only works with MVC is using a custom Exception Filter:

  • Create a custom FilterAttribute that implements IExceptionFilter
  • from inside the FilterAttribute, you can redirect to the controller or view to be used to display the error.
  • register the filter in the Global.asax or attribute your controllers

This has the advantage that you can use the normal MVC infrastructure (Razor) to render the error view.

public class HttpRequestValidationExceptionAttribute : FilterAttribute, IExceptionFilter {

    public void OnException(ExceptionContext filterContext) {
        if (!filterContext.ExceptionHandled && filterContext.Exception is HttpRequestValidationException) {
            filterContext.Result = new RedirectResult("~/HttpError/HttpRequestValidationError");
            filterContext.ExceptionHandled = true;
        }
    }
}
Georg Patscheider
  • 9,357
  • 1
  • 26
  • 36
  • Thanks for sharing :-) I'll look at it when I have some spare time :-) – bruno Aug 05 '15 at 09:26
  • Thanks for this. I used it but found that filterContext.ExceptionHandled was already set to true so the code in the if statement wasn't run and my default error page was shown. I took that condition out and it now appears to work perfectly. Not sure if doing so might cause problems elsewhere though... any thoughts? Thanks! – Kate Nov 12 '15 at 11:16
  • Testing for ExceptionHandled is done so a single exception is not handled by multiple filters.. See http://stackoverflow.com/questions/10597478/exceptioncontext-exceptionhandled-changes-to-true-where-is-the-exception-being for further discussion. – Georg Patscheider Nov 12 '15 at 14:44
  • this answer should be accepted. It is better to have filters than filter all exceptions in Global – zolty13 Nov 14 '19 at 11:35