Wednesday, September 17, 2014

A potentially dangerous Request.Form value was detected from the client

Server Error in 'ASP.Net' Application.

A potentially dangerous Request.Form value was detected from the client (TextBox1"=<p>Hello</p>").
Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (TextBox1="<p>Hello</p>").
Cause
To Prevent from SQL Injections, ASP.NET by default does not allow HTML tags "<",">" 
It is recommended to allow this check to happen on each postback.
Solution
Sometimes you need to submit HTML Content to your page through Rich TextBoxes or Rich Text Editors. In that case you can avoid this exception by setting the ValidateRequest tag in the @Page Directive to false.
<%@ Page Language="C#" AutoEventWireup="true" ValidateRequest = "false"
This will disable the validation of requests for the page you have set the ValidateRequest flag to false. 
To disable request of all page you’ll need to set ValidateRequest   false in your web.config <system.web> section
<pages validateRequest ="false" />
For .Net 4.0 or higher frameworks you will need to also add the following line in the <system.web> section to make the above work.
<httpRuntime requestValidationMode = "2.0" />
That’s it. Hope this helps you in getting rid of the above issue.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.