User control A potentially dangerous Request.QueryString value was detected from the client

Question

I have a user control and i am passing in a query string which .net seems to think is dangerous.. I have put in my web.config

<httpRuntime requestValidationMode="2.0" enableVersionHeader="false" maxUrlLength="10999" maxQueryStringLength="2097151"/>

<security>
      <requestFiltering>
        <requestLimits maxUrl="10999" maxQueryString="2097151" />
      </requestFiltering>
    </security>

My user control is:

  <%@ Control Language="C#" AutoEventWireup="true" CodeBehind="Member.ascx.cs" Inherits="DOM.Umbraco.Web.usercontrols.Members" %>

But still no hope.. How can i get this to allow this query string?

Thanks Dom

[Similar?](http://stackoverflow.com/questions/3885697/a-potentially-dangerous-request-querystring-value-was-detected-from-the-client-w) — GVashist, Feb 03 '15 at 14:49

score 0 · Answer 1 · answered Feb 03 '15 at 14:51

0

You could disable request validation with this web.config setting

<configuration>
   <system.web>
      <pages validateRequest="false" />
   </system.web>
</configuration>

Take into account that no validation at all could lead to security problems. You need to replace the built in validation to some custom made code to clean up data from client.

If you want to restrict this setting only to the page where the user control is used, you can use this page directive

<@ Page validateRequest="false" %>

answered Feb 03 '15 at 14:51

Claudio Redi

67,454
15
130
155

its a control not a page?? – Dom Adams Feb 03 '15 at 14:54
@Dom Adams: and what's the problem? My first approach disable request validation for the entire site. – Claudio Redi Feb 03 '15 at 14:55
Both do not work.. says The requested page cannot be accessed because the related configuration data for the page is invalid. @claudioRedi – Dom Adams Feb 03 '15 at 15:02
@Dom Adams: it seems you're making a mistake changing web.config. Error should include a detail about what's wrong on your web.config – Claudio Redi Feb 03 '15 at 15:20

score 0 · Answer 2 · answered Feb 03 '15 at 16:13

override the request validator and allow the characters you require. Be careful, if the data is going to be re-displayed it will contain the original content, which could be dangerous. i.e. script tags

public class CustomRequestValidator : System.Web.Util.RequestValidator
{
    protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
    {
        validationFailureIndex = 0;

        if (requestValidationSource == RequestValidationSource.Form)
        {
            value = value.Replace("<", "").Replace(">", "");
        }
        return base.IsValidRequestString(context, value, requestValidationSource, collectionKey, out validationFailureIndex);
    }
}

User control A potentially dangerous Request.QueryString value was detected from the client

2 Answers2