16

We've just upgraded to ASP.NET 4.0, and found that requestValidation no longer works. The MSDN docs suggest we need to set requestValidationMode in web.config to 2.0:

  • 4.0 (the default). The HttpRequest object internally sets a flag that indicates that request validation should be triggered whenever any HTTP request data is accessed. This guarantees that the request validation is triggered before data such as cookies and URLs are accessed during the request. The request validation settings of the pages element (if any) in the configuration file or of the @ Page directive in an individual page are ignored.
  • 2.0. Request validation is enabled only for pages, not for all HTTP requests. In addition, the request validation settings of the pages element (if any) in the configuration file or of the @ Page directive in an individual page are used to determine which page requests to validate.

This will work for us, however I'm a little puzzled. It seems that we're putting this into a legacy/compatibility mode. Surely it should be possible to have the 4.0 behaviour, but still have an option to turn this off on a page?

abatishchev
  • 98,240
  • 88
  • 296
  • 433
Danny Tuppeny
  • 40,147
  • 24
  • 151
  • 275
  • Since this question was asked, there is now a "4.5" option, the default, described as "In this mode, values are lazily loaded, that is, they are not read until they are requested." I tested this, and it seems to respect both the @Page ValidateRequest directive and also the control-level ValidateRequestMode. – user0474975 Mar 22 '21 at 13:13
  • @user0474975 you should post this as an answer :) – Danny Tuppeny Mar 23 '21 at 16:45

5 Answers5

26

I found a way to achieve this without changing RequestValidationMode to 2.0 to the whole site:

You can crate a sub-directory for the page you want to disable the request validation and add a new web.config to this directory with RequestValidationMode set to 2.0, this way only this directory will work in 2.0 mode without affecting all other requests that will work in 4.0 mode.

I think you can add an location section to your main web.config specifying only one page, but I didn't tested this yet. Something like this:

<location path="Admin/Translation.aspx">
    <system.web>
        <httpRuntime requestValidationMode="2.0"/>
    </system.web>
</location>

Hope it helps you as helped me !

Jeison Souza
  • 434
  • 4
  • 4
  • 5
    Works perfect, thanks. Some things I learned: Location is added under as a sibling to . The path attribute value cannot begin with a prefixed /. Can add a single page, or entire folder (do not use trailing /) – mellodev Oct 03 '12 at 19:04
5

Your best bet is to override the requestValidationType with your own code:

<httpRuntime requestValidationType="YourNamespace.YourValidator" />

MSDN link

Scott R. Frost
  • 2,026
  • 1
  • 22
  • 25
  • 1
    I had to use this technique for my MVC application. I had a 3rd party controller that needed to receive HTML as a parameter and the other answers here weren't working. Thank you ScottRFrost. – Aron Boyette Feb 11 '15 at 23:33
3

It appears that it is not possible to turn this on or off for a page in requestValidationMode 4.0.

This whitepaper outlines breaking changes in .Net 4.0, of which this seems to be one. Even the whitepaper suggests reverting back to requestValidationMode 2.0

To revert to the behavior of the ASP.NET 2.0 request validation feature, add the following setting in the Web.config file:

<httpRuntime requestValidationMode="2.0" />

Although it also helpfully recommends

that you analyze any request validation errors to determine whether existing handlers, modules, or other custom code accesses potentially unsafe HTTP inputs that could be XSS attack vectors.

without giving any guidance on how best to resolve these issues

James Toyer
  • 405
  • 4
  • 10
1

Set requestValidationMode="0.0" to disable ASP.NET pages and HTTP requests validation. Value 0.0 recognized in ASP.NET 4.6 and later. MSDN

<configuration>
  <system.web>
    <httpRuntime requestValidationMode="0.0" />
Dmitry Shashurov
  • 1,148
  • 13
  • 11
-6

You can set ValidateRequest to false in the page directive:

<%@ Page ValidateRequest="false" %>
James Johnson
  • 45,496
  • 8
  • 73
  • 110
Rajeev Shenoy
  • 910
  • 6
  • 13
  • 1
    @James Johnson Thanks for formatting my answer correctly (to look like code instead of text) – Rajeev Shenoy Oct 12 '11 at 14:01
  • @Stilgar: Understood what the actual problem was after you questioned me, thanks :( – Rajeev Shenoy Oct 12 '11 at 14:12
  • As mentioned, this doesn't work :( In v4, "The request validation settings of the pages element (if any) in the configuration file or of the @ Page directive in an individual page are ignored" – Danny Tuppeny Oct 12 '11 at 14:42