ValidateRequest="false" doesn't work in Asp.Net 4

Question

I have a form at which I use ckeditor. This form worked fine at Asp.Net 2.0 and 3.5 but now it doesn't work in Asp.Net 4+. I have ValidateRequest="false" directive. Any suggestions?

There's short article about rendering validation controls properly if anyone cares: [Error Validation in .NET 4](http://www.softcircuits.com/Blog/post/2010/06/04/Validation-Controls-Lost-Their-Red-Color.aspx) — Ian, Jun 15 '10 at 00:16
can anyone please let me know what are the drawbacks of using ValidationRequest=false? — fc123, Oct 16 '14 at 16:04

HasanG · Accepted Answer · 2020-09-13T15:41:06.000

204

Found solution on the error page itself. Just needed to add requestValidationMode="2.0" in web.config

<system.web>
    <compilation debug="true" targetFramework="4.0" />
    <httpRuntime requestValidationMode="2.0" />
</system.web>

MSDN information: HttpRuntimeSection.RequestValidationMode Property

edited Sep 13 '20 at 15:41

answered Apr 20 '10 at 09:21

HasanG

12,734
29
100
154

2

that's awesome, but does anybody know of a way to set this per page? Also how do I put this in web.config so that it would still work with .NET 2? – MK. Jun 18 '10 at 20:43
1

@MK: I don't think there is a page directive for this setting. You can not make it run on .net 2. I don't think that would be necessary. Because you can just build an web app targeting only one framework version. Just copy this line to .net 4 web.config which needs it... – HasanG Jun 18 '10 at 23:23
2

But what has changed in validation for .net 4? Is there a way to do it without changing validation mode? – Sly Dec 10 '10 at 14:12
4

@Sly: You can find answer here: http://www.asp.net/learn/whitepapers/aspnet4/breaking-changes#0.1__Toc256770147 – HasanG Dec 10 '10 at 20:34
can anyone please let me know why in asp.net 4.0 application using requestValidationMode="2.0" is a good idea? – fc123 Oct 16 '14 at 16:05
1

This worked for me. I could go without it within VS, but on a live server, I had to have this for the site to run as intended. Thank you, HasanG – CodingEE Jul 31 '22 at 18:42

score 105 · Answer 2 · edited Feb 27 '18 at 08:44

105

There is a way to turn the validation back to 2.0 for one page. Just add the below code to your web.config:

<configuration>
    <location path="XX/YY">
        <system.web>
            <httpRuntime requestValidationMode="2.0" />
        </system.web>
    </location>

    ...
    the rest of your configuration
    ...

</configuration>

edited Feb 27 '18 at 08:44

Matthew Lock

13,144
12
92
130

answered Nov 24 '10 at 17:11

Ben Hoffman

8,149
8
44
71

The location is any path, and is based on any node below the folder you specify in the tree. – DFTR Oct 24 '11 at 23:04
7

This is a better solution than the accepted answer because it is not application wide rather narrow to the specific scope you define in the location path – Charles Wesley Feb 13 '13 at 00:43
5

The declaration above should be placed inside the declaration but not nested any further. – rbassett Jul 29 '16 at 10:18
1

Per page setting doesn’t seem to be working for projects targeting .NET 4.6.1. – Dennis T --Reinstate Monica-- Sep 11 '18 at 17:05
Is there way to remove request validation for one action method ? I tried using attribute but it doesnt works – Sandeep Pandey Apr 11 '21 at 18:43

score 59 · Answer 3 · answered Jun 13 '12 at 16:24

I know this is an old question, but if you encounter this problem in MVC 3 then you can decorate your ActionMethod with [ValidateInput(false)] and just switch off request validation for a single ActionMethod, which is handy. And you don't need to make any changes to the web.config file, so you can still use the .NET 4 request validation everywhere else.

e.g.

[ValidateInput(false)]
public ActionMethod Edit(int id, string value)
{
    // Do your own checking of value since it could contain XSS stuff!
    return View();
}

@RossCooper this is for asp.net MVC only – mxmissile Feb 06 '18 at 15:07 — mxmissile, Feb 06 '18 at 15:07

score 28 · Answer 4 · edited Feb 03 '15 at 15:00

28

This works without changing the validation mode.

You have to use a System.Web.Helpers.Validation.Unvalidated helper from System.Web.WebPages.dll. It is going to return a UnvalidatedRequestValues object which allows to access the form and QueryString without validation.

For example,

var queryValue = Server.UrlDecode(Request.Unvalidated("MyQueryKey"));

Works for me for MVC3 and .NET 4.

edited Feb 03 '15 at 15:00

naveen

53,448
46
161
251

answered Jun 15 '11 at 23:45

Assassin

1,296
2
14
17

1

Can you please provide an example of how to retrieve a queryString with this method? I keep getting 'Unvalidated is not a member of...' all objects I try to append it to. I think I might be missing an include – CodedMonkey May 23 '12 at 21:04
3

var queryValue = Server.UrlDecode(Request.Unvalidated("MyQueryKey")); – sfuqua May 23 '12 at 21:12
1

This definitely should be the accepted answer. Maintains security and is extremely flexible since you can use it on a selective basis. – cmartin Jun 05 '15 at 18:38
For Web Forms you have to replace entry in QueryString collection to avoid validation error-see [A potentially dangerous Request.QueryString value was detected from the client when sending html markup from jquery post call to asp.net page](//stackoverflow.com/a/44204652) – Michael Freidgeim Jun 09 '17 at 11:02

score 16 · Answer 5 · answered Feb 03 '12 at 14:52

16

Note that another approach is to keep with the 4.0 validation behaviour, but to define your own class that derives from RequestValidator and set:

<httpRuntime requestValidationType="YourNamespace.YourValidator" />

(where YourNamespace.YourValidator is well, you should be able to guess...)

This way you keep the advantages of 4.0s behaviour (specifically, that the validation happens earlier in the processing), while also allowing the requests you need to let through, through.

answered Feb 03 '12 at 14:52

Jon Hanna

110,372
10
146
251

7

This is good to know. But I still think the whole request validation feature of ASP.Net is misguided. The input itself is not the problem, it's what you *do* with it. It can be perfectly valid to accept SQL, HTML, or JavaScript code as input to your app, as long as you are encoding/escaping it properly before you output it or store it in your database. – Jordan Rieger Aug 02 '12 at 17:36
2

@JordanRieger I partly agree. OOTB, it at least has the advantage of defaulting to secure (don't think things through and you get errors, rather than 0wned), but it's a bit of a nuisance and the pre-4.0 behaviour is very all-or-nothing. There is something to the ability to have a validation layer that gets used before any other processing, as with a custom requestValidationType, but a lot of validation needs to be more tied in with other processing. In all I think it does more to protect people with bad habits from some (but not all) spl0its than to encourage good habits. – Jon Hanna Aug 02 '12 at 18:13

score -1 · Answer 6 · answered Aug 23 '23 at 14:05

I found the solution here: https://www.aspsnippets.com/Articles/Solved-ValidateRequest-false-not-working-in-Net-40-and-45-in-ASPNet.aspx

Summary:

If you want to set this at page level, set ValidateRequest="false" like this <%@ Page Language="C#" AutoEventWireup="true" ValidateRequest="false" %>
You also need to modify httpRuntime to have requestValidationMode="2.0" or add it to <system.web> like this

<system.web>
    <httpRuntime maxRequestLength="91200" executionTimeout="9000" requestValidationMode="2.0" />
</system.web>

That works for me in .NET 4.8

ValidateRequest="false" doesn't work in Asp.Net 4

6 Answers6

Linked

Related