A potentially dangerous Request.Form value was detected from the client

Question

I have this issue. I have tried everything. ValidateRequest="false".. and decoding and encoding html.. etc. etc..

What I need is a popup box (so im using ModalPopupExtender) to present to a user where people can type in xml settings and click ok/cancel button to close the popup and save.

However i keep on getting this error "A potentially dangerous Request.Form value was detected from the client"..

Here is my test code below (quick example of my scenario and error)..

<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="WebForm1.aspx.cs" Inherits="WebApplication1.WebForm1"
    ValidateRequest="false" %>

<%@ Register Assembly="AjaxControlToolkit" Namespace="AjaxControlToolkit" TagPrefix="cc1" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title></title>
</head>
<body>
    <form id="form1" runat="server">
    <asp:ScriptManager ID="ScriptManager1" runat="server">
    </asp:ScriptManager>
    <div>
        <asp:Panel ID="Popup" runat="server" Width="800px" Style="display: none;">
            <asp:LinkButton ID="Display" runat="server" Style="display: none;" OnClick="Display_Click" />
            <cc1:ModalPopupExtender ID="ModalPopupExtender" runat="server" TargetControlID="Display"
                PopupControlID="Popup" DropShadow="false" Y="10" />
            <div id="Item">
                <div class="Item">
                    <table width="100%">
                        <tr>                                
                            <td>
                                <textarea id="txtAreaValue" cols="35" rows="6" style="resize: none;" runat="server" />
                            </td>
                        </tr>
                        <tr>                                
                            <td>
                                <asp:Button ID="btnOk" Text="Ok" SkinID="default" Width="50px" runat="server" />
                                <asp:Button ID="btnCancel" Text="Cancel" SkinID="default" Width="50px" OnClick="BtnCancel_Click"
                                    runat="server" />
                            </td>
                        </tr>
                    </table>
                </div>
            </div>
        </asp:Panel>
    </div>
    </form>
</body>
</html>

Code Behind:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;

namespace WebApplication1
{
    public partial class WebForm1 : System.Web.UI.Page
    {
        protected void Page_Load(object sender, EventArgs e)
        {
            ModalPopupExtender.Show();
            string str = "<?xml version=\"1.0\" encoding=\"utf-8\"?><XmlConfig xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"> <XmlConfig Type=\"TEST\" DefiningXpath=\"/PERSON/NAME\"><Index Name=\"Name\" XPath=\"/PERSON/NAME/VALUE\" Type=\"String\" /><Index Name=\"Id\" XPath=\"/PERSON/NAME/ID\" Type=\"String\" /> </XmlConfig></XmlConfig>";

            txtAreaValue.InnerText = str;
        }

        protected void Display_Click(object sender, EventArgs e)
        {
            //Shows the Item detail Edit box
            ModalPopupExtender.Show();
        }

        protected void BtnCancel_Click(object sender, EventArgs e)
        {
            ModalPopupExtender.Hide();
        }
    }
}

To run the code.. Add ref to AjaxControltoolkit.dll and then run and you will see the textarea being populated with xml. Click on the cancel button and this causes the error. Please can anyone help me?

Check out this http://stackoverflow.com/questions/2673850/validaterequest-false-doesnt-work-in-asp-net-4 — mikey, Feb 03 '12 at 14:33
possible duplicate of [A potentially dangerous Request.Form value was detected from the client](http://stackoverflow.com/questions/81991/a-potentially-dangerous-request-form-value-was-detected-from-the-client) — Jon Egerton, Feb 03 '12 at 14:34
Thanks mikey :-) It worked.. Thanks cant believe it was that simple.. — user929153, Feb 03 '12 at 14:38
Another question those this only work on framework 4? What about 3.5? — user929153, Feb 03 '12 at 14:42
It shouldn't bee needed on 3.5 as the issue is from a change that happened with 4.0 (I didn't notice the one mikey linked to, though I disagree with @JonEgerton 's duplicate claim as while all the info is in there, it's not the same Q&A though mikey's is). — Jon Hanna, Feb 03 '12 at 14:46
Listen user92.. You should heed Jon's warning and make sure you understand what you just disabled, and take measures to prevent successful attacks.. In my case I needed to let administrators input HTML and scripts, so I limited the ValidateRequest=false settings to only pages that were accessible by administrators. Even then an attacker who can get an admin account could do some real damage to the users who would eventually see that admin-entered code. — mikey, Feb 03 '12 at 15:05
Checkout http://stackoverflow.com/a/41679040/58553 it has a solution! — Peter, Jan 16 '17 at 14:57
Possible duplicate of [A potentially dangerous Request.Form value was detected from the client](http://stackoverflow.com/questions/81991/a-potentially-dangerous-request-form-value-was-detected-from-the-client) — Burgi, Mar 28 '17 at 13:16

score 50 · Accepted Answer · answered Feb 03 '12 at 14:38

50

Use

<httpRuntime requestValidationMode="2.0" />

in your web.config (keeping any attributes you already have on that element, if it's already there). ASP.NET4.0 ignores ValidateRequest otherwise.

And, of course, do make sure that you take necessary measures to protect against genuinely dangerous requests, now that it's not being done for you.

Edit: A great way of doing this is to create your own class derived from RequestValidator, and using the 4.0 behaviour, but with that as the class that does the checking.

answered Feb 03 '12 at 14:38

Jon Hanna

110,372
10
146
251

Hi Jon is there any way to achieve this without changing web.config file. Sorry for asking question at wrong place :) – MaxRecursion Aug 20 '12 at 14:56
3

@AkshayKulkarni change the main .NET config to change the default web.config? I'd imagine that'd work, but if you don't want to change the web.config, you really don't want to change this. Really though, it doesn't make a lot of sense to have a high-level configuration to block something that isn't enforced at that level. Why do you not just change the web.config? – Jon Hanna Aug 20 '12 at 15:58
1

Additionally I found a good description here at MSDN: [Disabling Request Validation](https://msdn.microsoft.com/en-us/library/hh882339.aspx). You can use the `` setting in ``. – Matt Nov 08 '16 at 15:55

score 29 · Answer 2 · edited Apr 12 '23 at 10:52

Here are possible solution which may help you. Make a server side configuration setting for this. If you want to allow HTML element as input from selected pages in your project than you set this page attribute.

<%@ Page ValidateRequest="false" %>

This ValidateRequest="false" on each page. If you want in all pages in you project than make changes in Web.Config file. Add this tag In <system.web> section.

If you are using .Net 4.0 than you have to make one more change in Web.Config file. Add this tag In the <system.web> section.

<httpRuntime requestValidationMode="2.0" />

Here are configuration for do not validate request for all pages in .Net 4.0

<configuration>
  <system.web>
     <httpRuntime requestValidationMode="2.0" />
  </system.web>
  <pages validateRequest="false">
  </pages>
</configuration>

Which Web.config? The one for the Web app or the one for the Views? — NicVerAZ, Nov 21 '16 at 18:01

score 5 · Answer 3 · edited Oct 23 '14 at 18:59

5

Well, people are talking about Asp.net 4.0 only... I guess we need to address other versions too. Today, I had the same problem when I replaced my AjaxToolkit editor with TinyMCE and with the postback I found the same issue.

"A potentially dangerous Request.Form value was detected from the client"..

So I used this line inside my webconfig and it worked for me.

<system.web>
    <pages validateRequest="false" />
</system.web>

It should work across Asp.net 2.0 to 3.5.

UPDATE: Even works upto .net 4.5

UPDATE: You can also try to validate the request on page level rather whole website. Just wanted to let the readers to choose the best way. Thanks DVD for pointing this out.

edited Oct 23 '14 at 18:59

BradleyDotNET

60,462
10
96
117

answered May 29 '12 at 00:29

KMX

2,631
1
23
28

3

using requestValidationMode="2.0" and turning off validation (ValidateRequest="false") only on the page needed would be better for security, instead of turning off validation for the entire site. – dvdmn Feb 12 '14 at 13:54
@dvdnhm, dude, the question was how to get the error fixed... No matter if its for one page or entire web. it could be done one way or another. – KMX Feb 16 '14 at 21:38
@BradleyDotNET (slow_clap) – KMX Oct 24 '14 at 20:53
1

Why someone would mark it negative without telling the issue? – KMX Oct 01 '16 at 02:59

Mohamed Rasik · Answer 4 · 2016-05-26T15:11:02.343

I created a table article with columns articleId and article_content. I also used html editor for article_content column. When I tried to save I got the same error. It was resolved by adding [AllowHtml] to the article_content property in the class.

 [AllowHtml]
 [Required]
 public string article_content { get; set; }

Don’t forget to include the namespace using System.Web.Mvc. For more details: http://www.infinetsoft.com/Post/A-potentially-dangerous-Request-Form-value-was-detected-from-the-client/1246

score 1 · Answer 5 · edited May 23 '17 at 12:34

1

You can use JavaScript to encode the values before sending to the server, if that suits your needs

see this answer

edited May 23 '17 at 12:34

Community

1
1

answered Dec 01 '16 at 16:30

Peter Kerr

1,649
22
33

score 0 · Answer 6 · edited Nov 10 '16 at 17:26

0

There are 3 options to remove this error.

Set validateRequest="false" in page directives.
Set validateRequest="false" in web.config file.
Set requestValidationMode="2.0" in web.config if you are using DotNet 4.0

Checkout this link for more info.

edited Nov 10 '16 at 17:26

Wai Ha Lee

8,598
83
57
92

answered Dec 06 '13 at 15:34

user193887

47
4

score 0 · Answer 7 · edited Jan 28 '14 at 09:10

"A potentially dangerous Request.Form value was detected from the client"..

1) set httpRuntime requestValidationMode="2.0" requestPathInvalidCharacters="<,>,\" in web.config file

2) set validateRequest="false" in side pages tag in web.config file

<system.web>
    <httpRuntime requestValidationMode="2.0" requestPathInvalidCharacters="&lt;,&gt;,\"/>
 <pages controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID" validateRequest="false"/>
<system.web>

score 0 · Answer 8 · answered Mar 04 '14 at 17:46

I faced this same problem while sending some email templates from aspx page to code behind....

So I tried to solve this by adding

 <httpRuntime requestValidationMode="2.0" />

in my web config under enter code here` but that did not helped me unless I putted

ValidateRequest="false"

attrribute in the page directive of the aspx page.

A potentially dangerous Request.Form value was detected from the client

8 Answers8

Linked