Validation exception even with ValidateRequest="false"

Question

I have a textbox in a web form where an admin user can add HTML to be submitted for entry into the database.

In the past, I've always added ValidateRequest="false" to the Page when submitting HTML data to avoid validation error. However, with this website, even with ValidateRequest set to false, I'm getting the following error:

A potentially dangerous Request.Form value was detected from the client

I've heard this is to do with .NET 4 security, but this is an ASP.NET 3.5 application.

Why am I still getting this error?

@RoyiNamir - Do you mean `Server.HtmlEncode`? This doesn't work, your encoding server side so its still passing HTML with the form which is against security. — Curtis, Nov 08 '11 at 16:25

score 2 · Accepted Answer · answered Dec 22 '11 at 16:12

RequestValidation has significant changes in .Net 4.0.

Take a lot at: http://msdn.microsoft.com/en-us/library/system.web.configuration.httpruntimesection.requestvalidationmode(VS.100).aspx

To solve your problem you have to set requestValidationMode to a value less than 4.0 in httpRuntime in weh.config like this:

<httpRuntime requestValidationMode="2.0" />

score 0 · Answer 2 · answered Jul 11 '19 at 06:30

If you are nervous about setting the request validation back to .net 2 - just add a location flag to web config (along with setting ValidateRequestMode="Disabled" on the text box you want to allow special chars in). The location setting in web.config is like this:

  <location path="login.aspx">
    <system.web>
      <httpRuntime requestValidationMode="2.0" />
    </system.web>
  </location>

See excellent article, and comments, regarding this here: https://weblog.west-wind.com/posts/2010/Aug/19/RequestValidation-Changes-in-ASPNET-40

Validation exception even with ValidateRequest="false"

2 Answers2