A potentially dangerous Request.Form value was detected from the client in ASP.NET WebForms and MVC

This error turns up when you enter input into a text field that contains what looks like markup. For example:

APotentiallyDangerouseRequestFormValue

When you submit you normally would get something like this… ( which unfortunately I copied from the wrong place originally :S )

Server Error in ‘/MyApplication’ Application.


A potentially dangerous Request.Form value was detected from the client (remarks="<code></code>5678,<c…").

Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (remarks="<code></code>5678,<c…").

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (remarks="<code></code>5678,<c...").]
   System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName) +8723114
   System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName) +111
   System.Web.HttpRequest.get_Form() +129
   System.Web.HttpRequestWrapper.get_Form() +11
   System.Web.Mvc.ValueProviderDictionary.PopulateDictionary() +145
   System.Web.Mvc.ValueProviderDictionary..ctor(ControllerContext controllerContext) +74
   System.Web.Mvc.ControllerBase.get_ValueProvider() +31
   System.Web.Mvc.ControllerActionInvoker.GetParameterValue(ControllerContext controllerContext, ParameterDescriptor parameterDescriptor) +53
   System.Web.Mvc.ControllerActionInvoker.GetParameterValues(ControllerContext controllerContext, ActionDescriptor actionDescriptor) +109
   System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName) +399
   System.Web.Mvc.Controller.ExecuteCore() +126
   System.Web.Mvc.ControllerBase.Execute(RequestContext requestContext) +27
   System.Web.Mvc.ControllerBase.System.Web.Mvc.IController.Execute(RequestContext requestContext) +7
   System.Web.Mvc.MvcHandler.ProcessRequest(HttpContextBase httpContext) +151
   System.Web.Mvc.MvcHandler.ProcessRequest(HttpContext httpContext) +57
   System.Web.Mvc.MvcHandler.System.Web.IHttpHandler.ProcessRequest(HttpContext httpContext) +7
   System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +181
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75


Version Information: Microsoft .NET Framework Version:2.0.50727.4016; ASP.NET Version:2.0.50727.4016

 

… which is nice by default, but in some situations where you want people to be able to enter markup of some kind you want to be able to disable this. There are several ways.

WebForms – Per Page

This is a matter of adding the ValidateRequest property to the page directive per page:

<%@ Page Language="c#" … ValidateRequest="false"%>

WebForms -Globally

To turn off validation (which is not recommended unless you need to and know the consequences) is doen by editing the Web.config file’s pages element and adding the validateRequest attribute as shown below:

<system.web> 
  : 
  <pages validateRequest="false" /> 
  : 
</system.web>

MVC – Action

To prevent this error in MVC you can do it per action by applying the ValidateInputAttribute to the action method.

[AcceptVerbs(HttpVerbs.Post)]
[ValidateInput(false)]
public ActionResult EditMyEntity(string newValue)
{  :
}

Note that I also have an entry on the MVC attribute here which discusses this attribute a little more. I think it needs updating though 🙂

Advertisements

One Response to “A potentially dangerous Request.Form value was detected from the client in ASP.NET WebForms and MVC”

  1. ASP.NET MVC Archived Blog Posts, Page 1 Says:

    […] to VoteA potentially dangerous Request.Form value was detected from the client in ASP.NET WebForms and MVC …Monday, September 28, 2009 from jwwishartThis error turns up when you enter input into a text field […]


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: