Thursday, February 18, 2010

Potentially dangerous Request.Form value was detected from the client : ValidateRequest

This error is caused because the .NET framework detected HTML in an input control (e.g. TextBox). I've highlighted 3 possible ways to get round the issue, all with their advantages and disadvantages:

1. Add the following to the existing Page directive on the relevant pages.

<%@ Page Language="C#" MasterPageFile="~/Master.master" ValidateRequest="false" AutoEventWireup="true" CodeFile="Default.aspx.cs"
    Inherits="_Default" %>

2. Add the following to the Web.config within the <system.web> section (globally disable request validation). This will allow users to enter HTML into controls which could be harmful or result in undesirable consequences.

<system.web>

<pages validateRequest="false" />

</system.web>

3. Unless you need users to be able to enter HTML into a form, make sure all HTML displayed in controls is encoded.

lblTextBox.Text = HttpUtility.HtmlEncode( lblTextBox.Text );

No comments:

Post a Comment