so it is possible that form just shows validation error (like HTML is not allowed) instead of throwing an exception
A potentially dangerous Request.Form value was detected from the client
when I include HTML in input. I dont want to accept HTML, but I also dont like to get exception.
In ASP .NET 4.0, request validation is enabled for all requests by default.
http://www.asp.net/whitepapers/aspnet4/breaking-changes
You can still force your app to ignore this check.
See link for details:-
ValidateRequest="false" doesn't work in Asp.Net 4
However, I wouldn't advocate this strategy. It's much better to try to validate the text with Javascript before sending to the server to ensure it doesn't contain any characters that trip the ValidateRequest behaviour.
This question covers all of those characters:-
What characters or character combinations are invalid when ValidateRequest is set to true?
If your user does not have Javascript enabled, you'll still hit the error. In that (rare) case, you can fall back on customErrors so that you at least show something that is prettier than the yellow error page.
You can handle application behavior on errors in your web.config file:
</system.web>
…
<customErrors defaultRedirect="/ErrorPage" mode="RemoteOnly"></customErrors>
…
</system.web>
Moreover, beside specifying whether to show detailed errors or not you can also redirect user to a specific page to show him custom errors pages which you have designed.
For more information about this check msdn explanation for customErrors element
