16

I have one asp.net application, which has some problems while i am entering the special characters such as ": &#, " in the search box. If i enter this text in search box, i got the exception like this.

A potentially dangerous Request.Form value was detected from the client (txtValue=": &#, ").

then i searched on the net, i got one general solution for this that to set the validaterequest to false. But no changes has been made on my application. Please help me for solving this issue. Any response that would be appreciated.

MAC
  • 6,277
  • 19
  • 66
  • 111
  • 1
    Where exactly did you set ValidateRequest? – EMP Jun 02 '10 at 06:10
  • <%@ Page ValidateRequest="false" – MAC Jun 02 '10 at 06:12
  • Possible duplicate of [A potentially dangerous Request.Form value was detected from the client](http://stackoverflow.com/questions/81991/a-potentially-dangerous-request-form-value-was-detected-from-the-client) – Burgi Mar 28 '17 at 13:16

4 Answers4

24

Add a web.config containing

<system.web>
    <pages validateRequest="false" />
</system.web>

to the directory with the page that has the form in question.

See http://www.asp.net/learn/whitepapers/request-validation for a complete description.

In case you use asp.net 4.0, you may try 

<httpRuntime requestValidationMode="2.0" />

See also

Community
  • 1
  • 1
marapet
  • 54,856
  • 12
  • 170
  • 184
  • Hm, works in all my web applications. Do you use .net 2.0 or above? Which OS? – marapet Jun 02 '10 at 06:17
  • .net 3.5 and OS is server 2003 IE8 – MAC Jun 02 '10 at 06:38
  • Sorry, works for me in the same environnement. I'd try to reproduce this behavior on a clean web site in order to exclude other components and web.config settings. – marapet Jun 02 '10 at 07:12
  • 2
    If you need to set ValidateRequest="false", you should do it on a page-by-page basis in the <%@ Page %> directive; otherwise you're potentially opening a security hole in your whole application. – PhilPursglove Jun 02 '10 at 08:17
  • 1
    @PhilPursglove I agree that it is best practice to do by a page-by-page basis - unless you know what you are doing. ValidateRequest=true is a security measure for web applications which are not properly coded. From the above linked page on www.asp.net: "This request validation feature can be disabled when the application has been designed to safely process HTML data." And of course we do exactly that, don't we?! I usually do it on a directory basis. Special care is to be taken if you use 3rd party components that rely on that request validation (but you shouldn't use those anyway...). – marapet Jun 02 '10 at 08:55
  • It saved me.. Thanks : – Topman Jun 05 '17 at 10:27
  • I'm afraid the above no longer works. What works is that specified by Jamie M , i.e. adding the [ValidateInput(false)] attribute on the controller in question. – Hashim Akhtar Nov 26 '17 at 18:14
18

A little late, but in agreement with those saying putting this in web.config is a security hole.

I do it with the [ValidateInput(false)] attribute on the controller in question.

ValidateInput is found in System.Web.MVC in MVC2

crthompson
  • 15,653
  • 6
  • 58
  • 80
Jamie M
  • 870
  • 1
  • 8
  • 18
2

I created a table article with columns articleId and article_content. I also used html editor for article_content column. When I tried to save I got the same error. It was resolved by adding [AllowHtml] to the article_content property in the class.

Don’t forget to include the namespace using System.Web.Mvc. For more details: http://www.infinetsoft.com/Post/A-potentially-dangerous-Request-Form-value-was-detected-from-the-client/1246

Julien Lopez
  • 1,794
  • 5
  • 18
  • 24
Mohamed Rasik
  • 148
  • 2
  • 8
1

Using Framework 4.5 the solution is to modify web.config adding following line:

<httpRuntime requestValidationMode="4.5"/>

And getting the request as follows:

string reportXML = this.Request.Unvalidated.Form["reportstream"];
Manuel Sansone
  • 339
  • 4
  • 5