1) This article might help you understand validaterequest better :
https://infosecauditor.wordpress.com/2013/05/27/bypassing-asp-net-validaterequest-for-script-injection-attacks/
Some excerpts :
ValidateRequest is present in ASP.NET versions 1, 2 and 3. ASP.NET
version 4 does not use the ValidateRequest filter.
ValidateRequest validates user input and returns false when the
following conditions are met:
<a-z – A ‘<’ character followed by an alpha character.
<!, </, <? – A ‘<’ character followed by a special character.
&,# – A special character.
You can write your own custom validator which extends RequestValidator & takes care of these things.
Eg:
2)
Is there any way to show error on the same page
Yes. but then you will have to validate the input by yourself & say bye to asp.net benefits https://gargmanoj.wordpress.com/tag/httprequestvalidationexception/
No. because an Application Error has happened & asp.net has stopped processing it. But you can definitely show a custom error page.
See the answer here & here:
protected void Application_Error(object sender, EventArgs e)
{
var context = HttpContext.Current;
var exception = context.Server.GetLastError();
if (exception is HttpRequestValidationException)
{
HttpContext.Current.Server.ClearError();
HttpContext.Current.Response.Redirect("~/ErrorPage.aspx");
return;
}
}
There is also an option for AntiXss encoder class for encoding the output values.
<httpRuntime encoderType="System.Web.Security.AntiXss.AntiXssEncoder" />
