Home Asp.net A potentially dangerous Request.Form value was detected from the client Error in...

A potentially dangerous Request.Form value was detected from the client Error in .NET

8
0

While working on an Asp.net web projects, We sometimes got an issue like A potentially dangerous Request from the client.
.
.
What does this error means? Simply it means when user enters non-encoded HTML content into a textbox or passing via querystring.

Here in this tutorial, I’ll explain how to resolve error like “A potentially dangerous Request.Form value was detected from the client” with cause and solution.

Error: A potentially dangerous Request

Server Error in ‘/’ Application.


A potentially dangerous Request.Form value was detected from the client (TextBox1=”<span>Hi,
How are you?</span>”).

Description: Request Validation has detected a potentially dangerous client input value, and processing
of the request has been aborted. This value may indicate an attempt to compromise the security of your
application, such as a cross-site scripting attack. You can disable request validation by setting
validateRequest=false in the Page directive or in the configuration section. However, it is strongly
recommended that your application explicitly check all inputs in this case.

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form
value was detected from the client (TextBox1=”<span>Hi, How are you?</span>”).

The above exception occurs when ValidateRequest is set true (by default it sets to true) and someone tries to submit HTML content to server (for example, <span>Hi, How are you?</span>). When we parse this HTML content, this error comes since Asp.net tries to protect the application from Scripting Attacks. Most likely, it’ll comes when you’re working with Rich TextBoxes or Rich Text Editors to parse HTML content to server.

Error Cause:

The .NET framework is throwing up an error because it detected something in the entered text which looks like an HTML statement. The text doesn’t need to contain valid HTML, just anything with opening and closing angled brackets “<…>”.

The reason behind the error is as a security precaution. Developers need to be aware that users might try to inject HTML (or even a script) into a text box which may affect how the form is rendered. You can get more details at Request Validation – Preventing Script Attacks here.

Note: This checking was not performed in the .NET 1.0 framework and was introduced with the .NET 1.1 framework.

Error Solution:

To disable request validation to a specific page, we need to add the ValidateRequest=”false” to the existing Page directive in that .aspx file:

<%@ Page Language=”C#” AutoEventWireup=”true” CodeBehind=”Example.aspx.cs”
Inherits=”Examples.Example” ValidateRequest=”false” %>

Note: If you are using Asp.net 4.0+, you must needs to add or update the <httpRuntime requestValidationMode=”2.0″/> to the web.config file:

<configuration>
<system.web>
<httpRuntime requestValidationMode=2.0/>
</system.web>
</configuration>

Note: If you want to turn off validation request globally for every page, you need to add the <pages validateRequest=”false” /> line with above validation mode statement in the existing web.config file:

<configuration>
<system.web>
<pages validateRequest=false />
<httpRuntime requestValidationMode=2.0/>
</system.web>
</configuration>
Note: I always avoid using the last solution because there is a huge security issue raise in globally declaration. The request validation feature in Asp.net provides a certain level of default protection against cross-site scripting (XSS) attacks.If you still wants to use the last option, then you don’t need to add the ValidateRequest=”false” in the Page directive of every .aspx page.

LEAVE A REPLY

Please enter your comment!
Please enter your name here
Captcha verification failed!
CAPTCHA user score failed. Please contact us!