Special character causes "A potentially dangerous Request.Form value"

Question

I'm building a footnote editor for a specific need and I need a drop list that shows special characters such as a dagger (&#134). Not sure if it matters, but the drop list is in a ajax modal popup form. Whenever I try to display the popup form, I get the error "A potentially dangerous Request.Form value was detected from the client (ctl00$MainContent$ucFootNoteList$DropDownList1="*, &#134")."

I tried adding <httpRuntime requestValidationMode="2.0" /> to the Web.config file.

How do I show a special character in this scenario without this error coming up?

Answer 1

You could set the validateRequest property on the Page header of the corresponding WebForm to disable request validation and allow posting HTML characters:

<%@ Page validateRequest="false" %>

This could also be done globally for all WebForms in the web.config:

<pages validateRequest="false" />

Here's an article on MSDN where you could read more about request validation in ASP.NET.

Answer 2

You can disable the ValidateRequest property but [very important!] please sanitize your input using a library like AntiXss, like this one:

http://wpl.codeplex.com/

Otherwise you will be vulnerable to input attacks (injections, xss etc.)

In fact the reason your request is "potentially dangerous" is because the runtime thinks some is trying to inject some HTML, that's why you cant insert < bla >

Answer 3

Disable the ASP.NET request validation feature. To do so, in Web page's .aspx file, set the Page ValidateRequest setting that is shown here.

<%@ Page ValidateRequest="false"%>

Alternately, in the Web application's Web.config file, set the validateRequest attribute of the section to false.

<configuration>
    <system.web>
        <pages validateRequest="false" />
        </system.web>
    </configuration>

Source : http://msdn.microsoft.com/en-us/library/ee517280.aspx