ASP.net dangerous submission error

Question

When I try and run a forum page:

System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client 

In my web.config I have:

<pages validateRequest="false" smartNavigation="false">

And on the actual page I also have:

<%@ Page Language="C#" AutoEventWireup="true" ValidateRequest="false" MasterPageFile="~/MasterPages/Main.master" %>

But it keeps throwing this error!

Edit

I fixed it with:

<httpRuntime requestValidationMode="2.0" />

But what's that do and why does it work?

Answer 1

This error occurs because something in the submitted form, or in the querystring, looked dangerous to the validation in ASP.NET.

By adding

<httpRuntime requestValidationMode="2.0" />

you are relaxing the validation that is applied back to the standards of ASP.NET 2.

I would say you are far better off trying to work out exactly what it objects to in your form/querystring than just relaxing the validation. This tightened validation is there to protect you and your users, and shouldn't be relaxed lightly.

I have recently hit this on a project I am working on when we upgraded to ASP.NET MVC3 (from version 2). In our case it actually highlighted an issue whereby we were urlencoding our querystring when we didn't mean to (i.e. the entire quertstring including the question mark and the ampersands was all getting url encoded when it shouldn't be).

Whatever your reason, look for the root cause rather than relax the validation if it is at all possible.

Answer 2

There was probably markup in the submitted text. http://www.asp.net/learn/whitepapers/aspnet4/breaking-changes

The request validation feature in ASP.NET provides a certain level of default protection against cross-site scripting (XSS) attacks. In previous versions of ASP.NET, request validation was enabled by default. However, it applied only to ASP.NET pages (.aspx files and their class files) and only when those pages were executing.

In ASP.NET 4, by default, request validation is enabled for all requests, because it is enabled before the BeginRequest phase of an HTTP request. As a result, request validation applies to requests for all ASP.NET resources, not just .aspx page requests. This includes requests such as Web service calls and custom HTTP handlers. Request validation is also active when custom HTTP modules are reading the contents of an HTTP request.

As a result, request validation errors might now occur for requests that previously did not trigger errors. To revert to the behavior of the ASP.NET 2.0 request validation feature, add the following setting in the Web.config file:

<httpRuntime requestValidationMode="2.0" />