3

here are the definations from MSDN,

4.0 (the default). The HttpRequest object internally sets a flag that indicates that request validation should be triggered whenever any HTTP request data is accessed. This guarantees that the request validation is triggered before data such as cookies and URLs are accessed during the request. The request validation settings of the pages element (if any) in the configuration file or of the @ Page directive in an individual page are ignored.

2.0. Request validation is enabled only for pages, not for all HTTP requests. In addition, the request validation settings of the pages element (if any) in the configuration file or of the @ Page directive in an individual page are used to determine which page requests to validate.

but I don't follow, can some help to explain a little bit?

fengd
  • 7,551
  • 3
  • 41
  • 44

1 Answers1

3

You might have a look at this

Think of it as that not only request from .aspx pages are validated for malicous requests, rather than all requests are validated. This might result it websites breaking their functionality if they were upgraded from 2.0 to 4.0

To be honest, I don't now why certain request fail. So far I've only set my 4.0 apps back to 2.0 validation

<httpRuntime requestValidationMode="2.0" />
citronas
  • 19,035
  • 27
  • 96
  • 164
  • I just found the article you points to, which makes more sence to me. Thanks for your explain. But I stil have a question. Why the "ValidateInput(false)" attribute has to work with requestValidationMode 2.0 in MVC 3. still don't get it – fengd Mar 25 '11 at 07:28
  • @Jun1st: I can only talk from a WebForms perspective, though I have no MVC expierience. In WebForms you can specify ValidateRequest on a PageLevel to false, but that only means that the .aspx page should not be validated. If the validation fails for some other requests, you still get the error. – citronas Mar 25 '11 at 07:34