A potentially dangerous Request Form value was detected from the client

Question

I have this issue  I have tried everything  ValidateRequest  false    and decoding and encoding html   etc  etc    What I need is a popup box  so im using ModalPopupExtender  to present to a user where people can type in xml settings and click ok cancel button to close the popup and save    However i keep on getting this error  A potentially dangerous Request Form value was detected from the client      Here is my test code below  quick example of my scenario and error      lt    Page Language  C   AutoEventWireup  true  CodeBehind  WebForm1 aspx cs  Inherits  WebApplication1 WebForm1      ValidateRequest  false    gt    lt    Register Assembly  AjaxControlToolkit  Namespace  AjaxControlToolkit  TagPrefix  cc1    gt   lt  DOCTYPE html PUBLIC  -  W3C  DTD XHTML 1 0 Transitional  EN   http   www w3 org TR xhtml1 DTD xhtml1-transitional dtd  gt   lt html xmlns  http   www w3 org 1999 xhtml  gt   lt head runat  server  gt       lt title gt  lt  title gt   lt  head gt   lt body gt       lt form id  form1  runat  server  gt       lt asp ScriptManager ID  ScriptManager1  runat  server  gt       lt  asp ScriptManager gt       lt div gt           lt asp Panel ID  Popup  runat  server  Width  800px  Style  display  none   gt               lt asp LinkButton ID  Display  runat  server  Style  display  none   OnClick  Display Click    gt               lt cc1 ModalPopupExtender ID  ModalPopupExtender  runat  server  TargetControlID  Display                  PopupControlID  Popup  DropShadow  false  Y  10    gt               lt div id  Item  gt                   lt div class  Item  gt                       lt table width  100   gt                           lt tr gt                                                               lt td gt                                   lt textarea id  txtAreaValue  cols  35  rows  6  style  resize  none   runat  server    gt                               lt  td gt                           lt  tr gt                           lt tr gt                                                               lt td gt                                   lt asp Button ID  btnOk  Text  Ok  SkinID  default  Width  50px  runat  server    gt                                   lt asp Button ID  btnCancel  Text  Cancel  SkinID  default  Width  50px  OnClick  BtnCancel Click                                      runat  server    gt                               lt  td gt                           lt  tr gt                       lt  table gt                   lt  div gt               lt  div gt           lt  asp Panel gt       lt  div gt       lt  form gt   lt  body gt   lt  html gt    Code Behind   using System  using System Collections Generic  using System Linq  using System Web  using System Web UI  using System Web UI WebControls   namespace WebApplication1       public partial class WebForm1   System Web UI Page               protected void Page Load object sender  EventArgs e                        ModalPopupExtender Show                string str     lt  xml version   1 0   encoding   utf-8    gt  lt XmlConfig xmlns xsi   http   www w3 org 2001 XMLSchema-instance   xmlns xsd   http   www w3 org 2001 XMLSchema   gt   lt XmlConfig Type   TEST   DefiningXpath    PERSON NAME   gt  lt Index Name   Name   XPath    PERSON NAME VALUE   Type   String     gt  lt Index Name   Id   XPath    PERSON NAME ID   Type   String     gt   lt  XmlConfig gt  lt  XmlConfig gt                 txtAreaValue InnerText   str                     protected void Display Click object sender  EventArgs e                          Shows the Item detail Edit box             ModalPopupExtender Show                       protected void BtnCancel Click object sender  EventArgs e                        ModalPopupExtender Hide                        To run the code   Add ref to AjaxControltoolkit dll and then run and you will see the textarea being populated with xml  Click on the cancel button and this causes the error  Please can anyone help me

User · Answer

The other solutions here are nice  however it s a bit of a royal pain in the rear to have to apply  AllowHtml  to every single Model property  especially if you have over 100 models on a decent sized site   If like me  you want to turn this  IMHO pretty pointless  feature off site wide you can override the Execute   method in your base controller  if you don t already have a base controller I suggest you make one  they can be pretty useful for applying common functionality        protected override void Execute RequestContext requestContext                   Disable requestion validation  security  across the whole site         ValidateRequest   false          base Execute requestContext           Just make sure that you are HTML encoding everything that is pumped out to the views that came from user input  it s default behaviour in ASP NET MVC 3 with Razor anyway  so unless for some bizarre reason you are using Html Raw   you shouldn t require this feature

User · Answer

You can catch that error in Global asax   I still want to validate  but show an appropriate message    On the blog listed below  a sample like this was available         void Application Error object sender  EventArgs e                Exception ex   Server GetLastError             if  ex is HttpRequestValidationException                        Response Clear                Response StatusCode   200              Response Write    html                 Response End                      Redirecting to another page also seems like a reasonable response to the exception   http   www romsteady net blog 2007 06 how-to-catch-httprequestvalidationexcep html

User · Answer

You can HTML encode text box content  but unfortunately that won t stop the exception from happening  In my experience there is no way around  and you have to disable page validation  By doing that you re saying   I ll be careful  I promise

User · Answer

As long as these are only   lt   and      and not the double quote itself  characters and you re using them in context like  lt input value  this    gt   you re safe  while for  lt textarea gt this one lt  textarea gt  you would be vulnerable of course   That may simplify your situation  but for anything more use one of other posted solutions

User · Answer

I ended up using JavaScript before each postback to check for the characters you didn t want  such as    lt asp Button runat  server  ID  saveButton  Text  Save  CssClass  saveButton  OnClientClick  return checkFields      gt   function checkFields         var tbs   new Array        tbs   document getElementsByTagName  input        var isValid   true      for  i 0  i lt tbs length  i              if  tbs i  type     text                 if  tbs i  value indexOf   lt       -1    tbs i  value indexOf   gt       -1                    alert   lt  gt  symbols not allowed                     isValid   false                                    return isValid      Granted my page is mostly data entry  and there are very few elements that do postbacks  but at least their data is retained

User · Answer

There are 3 options to remove this error    Set validateRequest  false  in page directives  Set validateRequest  false  in web config file  Set requestValidationMode  2 0  in web config if you are using DotNet 4 0   Checkout this link for more info

User · Answer

Cause  ASP NET by default validates all input controls for potentially unsafe contents that can lead to cross-site scripting  XSS  and SQL injections  Thus it disallows such content by throwing the above exception  By default it is recommended to allow this check to happen on each postback   Solution  On many occasions you need to submit HTML content to your page through Rich TextBoxes or Rich Text Editors  In that case you can avoid this exception by setting the ValidateRequest tag in the  Page directive to false    lt    Page Language  C   AutoEventWireup  true  ValidateRequest    false    gt    This will disable the validation of requests for the page you have set the ValidateRequest flag to false  If you want to disable this  check throughout your web application  you   ll need to set it to false in your web config  lt system web  section   lt pages validateRequest   false    gt    For  NET 4 0 or higher frameworks you will need to also add the following line in the  lt system web  section to make the above work    lt httpRuntime requestValidationMode    2 0    gt    That   s it  I hope this helps you in getting rid of the above issue   Reference by  ASP Net Error  A potentially dangerous Request Form value was detected from the client

User · Answer

Please bear in mind that some  NET controls will automatically HTML encode the output  For instance  setting the  Text property on a TextBox control will automatically encode it  That specifically means converting  lt  into  amp lt    gt  into  amp gt  and  amp  into  amp amp   So be wary of doing this     myTextBox Text   Server HtmlEncode myStringFromDatabase      Pseudo code   However  the  Text property for HyperLink  Literal and Label won t HTML encode things  so wrapping Server HtmlEncode    around anything being set on these properties is a must if you want to prevent  lt script gt  window location    http   www google com    lt  script gt  from being output into your page and subsequently executed   Do a little experimenting to see what gets encoded and what doesn t

User · Answer

The previous answers are great  but nobody said how to exclude a single field from being validated for HTML JavaScript injections  I don t know about previous versions  but in MVC3 Beta you can do this    HttpPost  ValidateInput true  Exclude    YourFieldName    public virtual ActionResult Edit int id  FormCollection collection                This still validates all the fields except for the excluded one  The nice thing about this is that your validation attributes still validate the field  but you just don t get the  A potentially dangerous Request Form value was detected from the client  exceptions   I ve used this for validating a regular expression  I ve made my own ValidationAttribute to see if the regular expression is valid or not  As regular expressions can contain something that looks like a script I applied the above code - the regular expression is still being checked if it s valid or not  but not if it contains scripts or HTML

User · Answer

I know this question is about form posting  but I would like to add some details for people who received this error on others circumstances  It could also occur on a handler used to implement a web service     Suppose your web client sends POST or PUT requests using ajax and sends either json or xml text or raw data  a file content  to your web service  Because your web service does not need to get any information from a Content-Type header  your JavaScript code did not set this header to your ajax request  But if you do not set this header on a POST PUT ajax request  Safari may add this header   Content-Type  application x-www-form-urlencoded   I observed that on Safari 6 on iPhone  but others Safari versions OS or Chrome may do the same  So when receiving this Content-Type header some part of  NET Framework assume the request body data structure corresponds to an html form posting while it does not and rose an HttpRequestValidationException exception  First thing to do is obviously to always set Content-Type header to anything but a form MIME type on a POST PUT ajax request even it is useless to your web service   I also discovered this detail  On these circumstances  the HttpRequestValidationException exception is rose when your code tries to access HttpRequest Params collection  But surprisingly  this exception is not rose when it accesses HttpRequest ServerVariables collection  This shows that while these two collections seem to be nearly identical  one accesses request data through security checks and the other one does not

User · Answer

The other solutions here are nice  however it s a bit of a royal pain in the rear to have to apply  AllowHtml  to every single Model property  especially if you have over 100 models on a decent sized site   If like me  you want to turn this  IMHO pretty pointless  feature off site wide you can override the Execute   method in your base controller  if you don t already have a base controller I suggest you make one  they can be pretty useful for applying common functionality        protected override void Execute RequestContext requestContext                   Disable requestion validation  security  across the whole site         ValidateRequest   false          base Execute requestContext           Just make sure that you are HTML encoding everything that is pumped out to the views that came from user input  it s default behaviour in ASP NET MVC 3 with Razor anyway  so unless for some bizarre reason you are using Html Raw   you shouldn t require this feature

User · Answer

You could also use JavaScript s escape string  function to replace the special characters   Then server side use Server URLDecode string  to switch it back   This way you don t have to turn off input validation and it will be more clear to other programmers that the string may have HTML content

User · Answer

Here are possible solution which may help you     Make server side configuration setting for this      If you want to allow HTML element as input from selected pages in your project than you set this page attribute    lt    Page ValidateRequest  false    gt    This ValidateRequest  false  on each page  If you want in all pages in you project than make changes in Web Config file  Add this tag In  section     If you are using  Net 4 0 than you have to make one more change in Web Config file  Add this tag In  section    lt httpRuntime requestValidationMode  2 0    gt    Here are configuration for do not validate request for all pages in  Net 4 0   lt configuration gt     lt system web gt        lt httpRuntime requestValidationMode  2 0    gt     lt  system web gt     lt pages validateRequest  false  gt     lt  pages gt   lt  configuration gt    Here is full example on this  Click Here

User · Answer

For those who are not using model binding  who are extracting each parameter from the Request Form  who are sure the input text will cause no harm  there is another way  Not a great solution but it will do the job     From client side  encode it as uri then send it  e g     encodeURIComponent     MsgBody   val         From server side  accept it and decode it as uri  e g     string temp    string IsNullOrEmpty HttpContext Current Request Form  MsgBody      System Web HttpUtility UrlDecode HttpContext Current Request Form  MsgBody       null      or    string temp    string IsNullOrEmpty HttpContext Current Request Form  MsgBody      System Uri UnescapeDataString HttpContext Current Request Form  MsgBody       null     please look for the differences between UrlDecode and UnescapeDataString

User · Answer

If you re just looking to tell your users that  lt  and   are not to be used BUT  you don t want the entire form processed posted back  and lose all the input  before-hand could you not simply put in a validator around the field to screen for those  and maybe other potentially dangerous  characters

User · Answer

For ASP NET 4 0  you can allow markup as input for specific pages instead of the whole site by putting it all in a  lt location gt  element   This will make sure all your other pages are safe   You do NOT need to put ValidateRequest  false  in your  aspx page    lt configuration gt         lt location path  MyFolder  aspx  gt       lt system web gt         lt pages validateRequest  false    gt         lt httpRuntime requestValidationMode  2 0    gt       lt  system web gt     lt  location gt       lt  configuration gt    It is safer to control this inside your web config  because you can see at a site level which pages allow markup as input   You still need to programmatically validate input on pages where request validation is disabled

User · Answer

in my case  using asp Textbox control  Asp net 4 5   instead of setting the all page for validateRequest  false   i used    lt asp TextBox runat  server  ID  mainTextBox              ValidateRequestMode  Disabled    gt  lt  asp TextBox gt    on the Textbox that caused the exception

User · Answer

For those of us still stuck on webforms I found the following solution that enables you to only disable the validation on one field   I would hate to disable it for the whole page    VB NET   Public Class UnvalidatedTextBox     Inherits TextBox     Protected Overrides Function LoadPostData postDataKey As String  postCollection As NameValueCollection  As Boolean         Return MyBase LoadPostData postDataKey  System Web HttpContext Current Request Unvalidated Form      End Function End Class   C    public class UnvalidatedTextBox   TextBox       protected override bool LoadPostData string postDataKey  NameValueCollection postCollection                return base LoadPostData postDataKey  System Web HttpContext Current Request Unvalidated Form             Now just use  lt prefix UnvalidatedTextBox id  test  runat  server    gt  instead of  lt asp TextBox  and it should allow all characters  this is perfect for password fields

User · Answer

In ASP NET  you can catch the exception and do something about it  such as displaying a friendly message or redirect to another page    Also there is a possibility that you can handle the validation by yourself     Display friendly message   protected override void OnError EventArgs e        base OnError e       var ex   Server GetLastError   GetBaseException        if  ex is System Web HttpRequestValidationException                Response Clear            Response Write  Invalid characters         Response Write HttpUtility HtmlEncode ex Message            Response StatusCode   200          Response End

User · Answer

You can use something like   var nvc   Request Unvalidated   Form    Later  nvc  yourKey   should work

User · Answer

You could also use JavaScript s escape string  function to replace the special characters   Then server side use Server URLDecode string  to switch it back   This way you don t have to turn off input validation and it will be more clear to other programmers that the string may have HTML content

User · Answer

I guess you could do it in a module  but that leaves open some questions  what if you want to save the input to a database  Suddenly because you re saving encoded data to the database you end up trusting input from it which is probably a bad idea  Ideally you store raw unencoded data in the database and the encode every time   Disabling the protection on a per page level and then encoding each time is a better option   Rather than using Server HtmlEncode you should look at the newer  more complete Anti-XSS library from the Microsoft ACE team

User · Answer

I ended up using JavaScript before each postback to check for the characters you didn t want  such as    lt asp Button runat  server  ID  saveButton  Text  Save  CssClass  saveButton  OnClientClick  return checkFields      gt   function checkFields         var tbs   new Array        tbs   document getElementsByTagName  input        var isValid   true      for  i 0  i lt tbs length  i              if  tbs i  type     text                 if  tbs i  value indexOf   lt       -1    tbs i  value indexOf   gt       -1                    alert   lt  gt  symbols not allowed                     isValid   false                                    return isValid      Granted my page is mostly data entry  and there are very few elements that do postbacks  but at least their data is retained

User · Answer

In ASP NET  you can catch the exception and do something about it  such as displaying a friendly message or redirect to another page    Also there is a possibility that you can handle the validation by yourself     Display friendly message   protected override void OnError EventArgs e        base OnError e       var ex   Server GetLastError   GetBaseException        if  ex is System Web HttpRequestValidationException                Response Clear            Response Write  Invalid characters         Response Write HttpUtility HtmlEncode ex Message            Response StatusCode   200          Response End

User · Answer

I know this question is about form posting  but I would like to add some details for people who received this error on others circumstances  It could also occur on a handler used to implement a web service     Suppose your web client sends POST or PUT requests using ajax and sends either json or xml text or raw data  a file content  to your web service  Because your web service does not need to get any information from a Content-Type header  your JavaScript code did not set this header to your ajax request  But if you do not set this header on a POST PUT ajax request  Safari may add this header   Content-Type  application x-www-form-urlencoded   I observed that on Safari 6 on iPhone  but others Safari versions OS or Chrome may do the same  So when receiving this Content-Type header some part of  NET Framework assume the request body data structure corresponds to an html form posting while it does not and rose an HttpRequestValidationException exception  First thing to do is obviously to always set Content-Type header to anything but a form MIME type on a POST PUT ajax request even it is useless to your web service   I also discovered this detail  On these circumstances  the HttpRequestValidationException exception is rose when your code tries to access HttpRequest Params collection  But surprisingly  this exception is not rose when it accesses HttpRequest ServerVariables collection  This shows that while these two collections seem to be nearly identical  one accesses request data through security checks and the other one does not

User · Answer

If you re just looking to tell your users that  lt  and   are not to be used BUT  you don t want the entire form processed posted back  and lose all the input  before-hand could you not simply put in a validator around the field to screen for those  and maybe other potentially dangerous  characters

User · Answer

For MVC  ignore input validation by adding        ValidateInput false     above each Action in the Controller

User · Answer

You can HTML encode text box content  but unfortunately that won t stop the exception from happening  In my experience there is no way around  and you have to disable page validation  By doing that you re saying   I ll be careful  I promise

User · Answer

You can automatically HTML encode field in custom Model Binder  My solution some different  I put error in ModelState and display error message near the field  It s easy to modify this code for automatically encode    public class AppModelBinder   DefaultModelBinder               protected override object CreateModel ControllerContext controllerContext  ModelBindingContext bindingContext  Type modelType                        try                               return base CreateModel controllerContext  bindingContext  modelType                             catch  HttpRequestValidationException e                                HandleHttpRequestValidationException bindingContext  e                   return null     Encode here                                 protected override object GetPropertyValue ControllerContext controllerContext  ModelBindingContext bindingContext              PropertyDescriptor propertyDescriptor  IModelBinder propertyBinder                        try                               return base GetPropertyValue controllerContext  bindingContext  propertyDescriptor  propertyBinder                             catch  HttpRequestValidationException e                                HandleHttpRequestValidationException bindingContext  e                   return null     Encode here                                  protected void HandleHttpRequestValidationException ModelBindingContext bindingContext  HttpRequestValidationException ex                        var valueProviderCollection   bindingContext ValueProvider as ValueProviderCollection              if  valueProviderCollection    null                                ValueProviderResult valueProviderResult   valueProviderCollection GetValue bindingContext ModelName  skipValidation  true                   bindingContext ModelState SetModelValue bindingContext ModelName  valueProviderResult                              string errorMessage   string Format CultureInfo CurrentCulture    0  contains invalid symbols   lt    amp                         bindingContext ModelMetadata DisplayName                bindingContext ModelState AddModelError bindingContext ModelName  errorMessage                     In Application Start   ModelBinders Binders DefaultBinder   new AppModelBinder      Note that it works only for form fields  Dangerous value not passed to controller model  but stored in ModelState and can be redisplayed on form with error message    Dangerous chars in URL may be handled this way   private void Application Error object sender  EventArgs e        Exception exception   Server GetLastError        HttpContext httpContext   HttpContext Current       HttpException httpException   exception as HttpException      if  httpException    null                RouteData routeData   new RouteData            routeData Values Add  controller    Error            var httpCode   httpException GetHttpCode            switch  httpCode                        case  int HttpStatusCode BadRequest    400                     if  httpException Message Contains  Request Path                                          httpContext Response Clear                        RequestContext requestContext   new RequestContext new HttpContextWrapper Context   routeData                       requestContext RouteData Values  action     InvalidUrl                       requestContext RouteData Values  controller     Error                       IControllerFactory factory   ControllerBuilder Current GetControllerFactory                        IController controller   factory CreateController requestContext   Error                        controller Execute requestContext                       httpContext Server ClearError                        Response StatusCode    int HttpStatusCode BadRequest    400                                       break                      ErrorController     public class ErrorController   Controller       public ActionResult InvalidUrl              return View

User · Answer

You could also use JavaScript s escape string  function to replace the special characters   Then server side use Server URLDecode string  to switch it back   This way you don t have to turn off input validation and it will be more clear to other programmers that the string may have HTML content

User · Answer

I found a solution that uses JavaScript to encode the data  which is decoded in  NET  and doesn t require jQuery     Make the textbox an HTML element  like textarea  instead of an ASP one  Add a hidden field  Add the following JavaScript function to your header        function boo             targetText   document getElementById  HiddenField1            sourceText   document getElementById  userbox            targetText value   escape sourceText innerText            In your textarea  include an onchange that calls boo      lt textarea id  userbox   onchange  boo     gt  lt  textarea gt    Finally  in  NET  use  string val   Server UrlDecode HiddenField1 Value     I am aware that this is one-way - if you need two-way you ll have to get creative  but this provides a solution if you cannot edit the web config  Here s an example I  MC9000  came up with and use via jQuery     document  ready function               txtHTML   change function              var currentText       txtHTML   text            currentText   escape currentText      Escapes the HTML including quotations  etc             hidHTML   val currentText      Set the hidden field                 Intercept the postback         btnMyPostbackButton   click function                  txtHTML   val         Clear the textarea before POSTing                                   If you don t clear it  it will give you                                   the error due to the HTML in the textarea          return true     Post back                 And the markup    lt asp HiddenField ID  hidHTML  runat  server    gt   lt textarea id  txtHTML  gt  lt  textarea gt   lt asp Button ID  btnMyPostbackButton  runat  server  Text  Post Form    gt    This works great  If a hacker tries to post via bypassing JavaScript  they they will just see the error  You can save all this data encoded in a database as well  then unescape it  on the server side   and parse  amp  check for attacks before displaying elsewhere

User · Answer

I ended up using JavaScript before each postback to check for the characters you didn t want  such as    lt asp Button runat  server  ID  saveButton  Text  Save  CssClass  saveButton  OnClientClick  return checkFields      gt   function checkFields         var tbs   new Array        tbs   document getElementsByTagName  input        var isValid   true      for  i 0  i lt tbs length  i              if  tbs i  type     text                 if  tbs i  value indexOf   lt       -1    tbs i  value indexOf   gt       -1                    alert   lt  gt  symbols not allowed                     isValid   false                                    return isValid      Granted my page is mostly data entry  and there are very few elements that do postbacks  but at least their data is retained

User · Answer

There s a different solution to this error if you re using ASP NET MVC    ASP NET MVC     pages validateRequest false doesn   t work  Why is ValidateInput False  not working  ASP NET MVC RC1  VALIDATEINPUT  A POTENTIAL DANGEROUS REQUEST AND THE PITFALL   C  sample    HttpPost  ValidateInput false   public ActionResult Edit FormCollection collection                   Visual Basic sample    lt AcceptVerbs HttpVerbs Post   ValidateInput False  gt    Function Edit ByVal collection As FormCollection  As ActionResult         End Function

User · Answer

I created a table article with columns articleId and article content  I also used html editor for article content column  When I tried to save I got the same error  It was resolved by adding  AllowHtml  to the article content property in the class     AllowHtml    Required   public string article content   get  set      Don   t forget to include the namespace using System Web Mvc  For more details  http   www infinetsoft com Post A-potentially-dangerous-Request-Form-value-was-detected-from-the-client 1246

User · Answer

The answer to this question is simple   var varname   Request Unvalidated  parameter name      This would disable validation for the particular request

User · Answer

I was getting this error too   In my case  a user entered an accented character    in a Role Name  regarding the ASP NET membership provider    I pass the role name to a method to grant Users to that role and the   ajax post request was failing miserably     I did this to solve the problem   Instead of  data    roleName    Model RoleName   users  users     Do this  data    roleName    Html Raw  Model RoleName    users  users      Html Raw did the trick   I was getting the Role name as HTML value roleName  Cadastro b amp  225 s   This value with HTML entity  amp  225  was being blocked by ASP NET MVC  Now I get the roleName parameter value the way it should be  roleName  Cadastro B  sico  and ASP NET MVC engine won t block the request anymore

User · Answer

How to fix this issue for AjaxExtControls in ASP NET 4 6 2   We had the same problem with AjaxExtControls rich text editor  This issue started right after upgrading from  NET 2 0 to  NET 4 5  I looked at all SOF answers but could not find a solution that does not compromise with the security provided by  NET 4 5   Fix 1 Not Recommended as it can degrade application security    I tested after changing this attribute in  requestValidationMode    2 0 and it worked but I was concerned about the security features  So this is fix is like degrading the security for entire application   Fix 2  Recommended   Since this issue was only occurring with one of AjaxExtControl  I was finally able to solve this issue using the simple code below   editorID value   editorID value replace   gt  g    amp gt     editorID value   editorID value replace   lt  g    amp lt       This code is executed on client side  javascript  before sending the request to server  Note that the editorID is not the ID that we have on our html aspx pages but it is the id of the rich text editor that AjaxExtControl internally uses

User · Answer

You could also use JavaScript s escape string  function to replace the special characters   Then server side use Server URLDecode string  to switch it back   This way you don t have to turn off input validation and it will be more clear to other programmers that the string may have HTML content

User · Answer

In  Net 4 0 and onwards  which is the usual case  put the following setting in system web   lt system web gt        lt httpRuntime requestValidationMode  2 0    gt

User · Answer

I found a solution that uses JavaScript to encode the data  which is decoded in  NET  and doesn t require jQuery     Make the textbox an HTML element  like textarea  instead of an ASP one  Add a hidden field  Add the following JavaScript function to your header        function boo             targetText   document getElementById  HiddenField1            sourceText   document getElementById  userbox            targetText value   escape sourceText innerText            In your textarea  include an onchange that calls boo      lt textarea id  userbox   onchange  boo     gt  lt  textarea gt    Finally  in  NET  use  string val   Server UrlDecode HiddenField1 Value     I am aware that this is one-way - if you need two-way you ll have to get creative  but this provides a solution if you cannot edit the web config  Here s an example I  MC9000  came up with and use via jQuery     document  ready function               txtHTML   change function              var currentText       txtHTML   text            currentText   escape currentText      Escapes the HTML including quotations  etc             hidHTML   val currentText      Set the hidden field                 Intercept the postback         btnMyPostbackButton   click function                  txtHTML   val         Clear the textarea before POSTing                                   If you don t clear it  it will give you                                   the error due to the HTML in the textarea          return true     Post back                 And the markup    lt asp HiddenField ID  hidHTML  runat  server    gt   lt textarea id  txtHTML  gt  lt  textarea gt   lt asp Button ID  btnMyPostbackButton  runat  server  Text  Post Form    gt    This works great  If a hacker tries to post via bypassing JavaScript  they they will just see the error  You can save all this data encoded in a database as well  then unescape it  on the server side   and parse  amp  check for attacks before displaying elsewhere

User · Answer

You can HTML encode text box content  but unfortunately that won t stop the exception from happening  In my experience there is no way around  and you have to disable page validation  By doing that you re saying   I ll be careful  I promise

User · Answer

Disable the page validation if you really need the special characters like   gt      lt   etc  Then ensure that when the user input is displayed  the data is HTML-encoded    There is a security vulnerability with the page validation  so it can be bypassed  Also the page validation shouldn t be solely relied on   See  http   web archive org web 20080913071637 http   www procheckup com 80 PDFs bypassing-dot-NET-ValidateRequest pdf

User · Answer

If you re just looking to tell your users that  lt  and   are not to be used BUT  you don t want the entire form processed posted back  and lose all the input  before-hand could you not simply put in a validator around the field to screen for those  and maybe other potentially dangerous  characters

User · Answer

I see there s a lot written about this   and I didn t see this mentioned  This has been available since  NET Framework 4 5 The ValidateRequestMode setting for a control is a great option  This way the other controls on the page are still protected  No web config changes needed   protected void Page Load object sender  EventArgs e          txtMachKey ValidateRequestMode   ValidateRequestMode Disabled

User · Answer

A solution  I don t like to turn off the post validation  validateRequest  false    On the other hand it is not acceptable that the application crashes just because an innocent user happens to type  lt x or something    Therefore I wrote a client side javascript function  xssCheckValidates  that makes a preliminary check  This function is called when there is an attempt to post the form data  like this    lt form id  form1  runat  server  onsubmit  return xssCheckValidates     gt    The function is quite simple and could be improved but it is doing its job   Please notice that the purpose of this is not to protect the system from hacking  it is meant to protect the users from a bad experience  The request validation done at the server is still turned on  and that is  part of  the protection of the system  to the extent it is capable of doing that     The reason i say  part of  here is because I have heard that the built in request validation might not be enough  so other complementary means might be necessary to have full protection  But  again  the javascript function I present here has nothing to do with protecting the system  It is only meant to make sure the users will not have a bad experience   You can try it out here    x000D   x000D      function xssCheckValidates     x000D        var valid   true  x000D        var inp   document querySelectorAll  x000D             input not  disabled  not  readonly   not  type hidden      x000D              textarea not  disabled  not  readonly      x000D        for  var i   0  i  lt  inp length  i      x000D          if   inp i  readOnly    x000D            if  inp i  value indexOf   lt     gt  -1    x000D              valid   false  x000D              break  x000D              x000D            if  inp i  value indexOf   amp      gt  -1    x000D              valid   false  x000D              break  x000D              x000D            x000D          x000D        if  valid    x000D          return true  x000D          else   x000D          alert  In one or more of the text fields  you have typed r nthe character   lt   or the character sequence   amp     r n r nThis is unfortunately not allowed since r nit can be used in hacking attempts  r n r nPlease edit the field and try again     x000D          return false  x000D          x000D        x000D   lt form onsubmit  return xssCheckValidates      gt  x000D    Try to type  lt  or  amp    lt br  gt  x000D     lt input type  text    gt  lt br  gt  x000D     lt textarea gt  lt  textarea gt  x000D     lt input type  submit  value  Send    gt  x000D   lt  form gt  x000D   x000D   x000D

User · Answer

You can use something like   var nvc   Request Unvalidated   Form    Later  nvc  yourKey   should work

User · Answer

How to fix this issue for AjaxExtControls in ASP NET 4 6 2   We had the same problem with AjaxExtControls rich text editor  This issue started right after upgrading from  NET 2 0 to  NET 4 5  I looked at all SOF answers but could not find a solution that does not compromise with the security provided by  NET 4 5   Fix 1 Not Recommended as it can degrade application security    I tested after changing this attribute in  requestValidationMode    2 0 and it worked but I was concerned about the security features  So this is fix is like degrading the security for entire application   Fix 2  Recommended   Since this issue was only occurring with one of AjaxExtControl  I was finally able to solve this issue using the simple code below   editorID value   editorID value replace   gt  g    amp gt     editorID value   editorID value replace   lt  g    amp lt       This code is executed on client side  javascript  before sending the request to server  Note that the editorID is not the ID that we have on our html aspx pages but it is the id of the rich text editor that AjaxExtControl internally uses

User · Answer

For ASP NET 4 0  you can allow markup as input for specific pages instead of the whole site by putting it all in a  lt location gt  element   This will make sure all your other pages are safe   You do NOT need to put ValidateRequest  false  in your  aspx page    lt configuration gt         lt location path  MyFolder  aspx  gt       lt system web gt         lt pages validateRequest  false    gt         lt httpRuntime requestValidationMode  2 0    gt       lt  system web gt     lt  location gt       lt  configuration gt    It is safer to control this inside your web config  because you can see at a site level which pages allow markup as input   You still need to programmatically validate input on pages where request validation is disabled

User · Answer

How to fix this issue for AjaxExtControls in ASP NET 4 6 2   We had the same problem with AjaxExtControls rich text editor  This issue started right after upgrading from  NET 2 0 to  NET 4 5  I looked at all SOF answers but could not find a solution that does not compromise with the security provided by  NET 4 5   Fix 1 Not Recommended as it can degrade application security    I tested after changing this attribute in  requestValidationMode    2 0 and it worked but I was concerned about the security features  So this is fix is like degrading the security for entire application   Fix 2  Recommended   Since this issue was only occurring with one of AjaxExtControl  I was finally able to solve this issue using the simple code below   editorID value   editorID value replace   gt  g    amp gt     editorID value   editorID value replace   lt  g    amp lt       This code is executed on client side  javascript  before sending the request to server  Note that the editorID is not the ID that we have on our html aspx pages but it is the id of the rich text editor that AjaxExtControl internally uses

User · Answer

You can catch that error in Global asax   I still want to validate  but show an appropriate message    On the blog listed below  a sample like this was available         void Application Error object sender  EventArgs e                Exception ex   Server GetLastError             if  ex is HttpRequestValidationException                        Response Clear                Response StatusCode   200              Response Write    html                 Response End                      Redirecting to another page also seems like a reasonable response to the exception   http   www romsteady net blog 2007 06 how-to-catch-httprequestvalidationexcep html

User · Answer

For those of us still stuck on webforms I found the following solution that enables you to only disable the validation on one field   I would hate to disable it for the whole page    VB NET   Public Class UnvalidatedTextBox     Inherits TextBox     Protected Overrides Function LoadPostData postDataKey As String  postCollection As NameValueCollection  As Boolean         Return MyBase LoadPostData postDataKey  System Web HttpContext Current Request Unvalidated Form      End Function End Class   C    public class UnvalidatedTextBox   TextBox       protected override bool LoadPostData string postDataKey  NameValueCollection postCollection                return base LoadPostData postDataKey  System Web HttpContext Current Request Unvalidated Form             Now just use  lt prefix UnvalidatedTextBox id  test  runat  server    gt  instead of  lt asp TextBox  and it should allow all characters  this is perfect for password fields

User · Answer

As long as these are only   lt   and      and not the double quote itself  characters and you re using them in context like  lt input value  this    gt   you re safe  while for  lt textarea gt this one lt  textarea gt  you would be vulnerable of course   That may simplify your situation  but for anything more use one of other posted solutions

User · Answer

As long as these are only   lt   and      and not the double quote itself  characters and you re using them in context like  lt input value  this    gt   you re safe  while for  lt textarea gt this one lt  textarea gt  you would be vulnerable of course   That may simplify your situation  but for anything more use one of other posted solutions

User · Answer

If you don t want to disable ValidateRequest you need to implement a JavaScript function in order to avoid the exception  It is not the best option  but it works   function AlphanumericValidation evt        var charCode    evt charCode    evt charCode     evt keyCode    evt keyCode             evt which    evt which   0            User type Enter key     if  charCode    13                   Do something  set controls focus or do anything         return false                User can not type non alphanumeric characters     if    charCode  lt   48                                   charCode  gt  122                                    charCode  gt  57   amp  amp   charCode  lt  65                 charCode  gt  90   amp  amp   charCode  lt  97                             Show a message or do something         return false            Then in code behind  on the PageLoad event  add the attribute to your control with the next code   Me TextBox1 Attributes Add  OnKeyPress    return AlphanumericValidation event

User · Answer

The other solutions here are nice  however it s a bit of a royal pain in the rear to have to apply  AllowHtml  to every single Model property  especially if you have over 100 models on a decent sized site   If like me  you want to turn this  IMHO pretty pointless  feature off site wide you can override the Execute   method in your base controller  if you don t already have a base controller I suggest you make one  they can be pretty useful for applying common functionality        protected override void Execute RequestContext requestContext                   Disable requestion validation  security  across the whole site         ValidateRequest   false          base Execute requestContext           Just make sure that you are HTML encoding everything that is pumped out to the views that came from user input  it s default behaviour in ASP NET MVC 3 with Razor anyway  so unless for some bizarre reason you are using Html Raw   you shouldn t require this feature

User · Answer

You can HTML encode text box content  but unfortunately that won t stop the exception from happening  In my experience there is no way around  and you have to disable page validation  By doing that you re saying   I ll be careful  I promise

User · Answer

You should use the Server HtmlEncode method to protect your site from dangerous input   More info here

User · Answer

In ASP NET MVC  starting in version 3   you can add the AllowHtml attribute to a property on your model   It allows a request to include HTML markup during model binding by skipping request validation for the property    AllowHtml  public string Description   get  set

User · Answer

Disable the page validation if you really need the special characters like   gt      lt   etc  Then ensure that when the user input is displayed  the data is HTML-encoded    There is a security vulnerability with the page validation  so it can be bypassed  Also the page validation shouldn t be solely relied on   See  http   web archive org web 20080913071637 http   www procheckup com 80 PDFs bypassing-dot-NET-ValidateRequest pdf

User · Answer

As indicated in my comment to Sel s answer  this is our extension to a custom request validator   public class SkippableRequestValidator   RequestValidator       protected override bool IsValidRequestString HttpContext context  string value  RequestValidationSource requestValidationSource  string collectionKey  out int validationFailureIndex                if  collectionKey    null  amp  amp  collectionKey EndsWith   NoValidation                          validationFailureIndex   0              return true                     return base IsValidRequestString context  value  requestValidationSource  collectionKey  out validationFailureIndex

User · Answer

None of the suggestions worked for me   I did not want to turn off this feature for the whole website anyhow because 99  time I do not want my users placing HTML on web forms   I just created my own work around method since I m the only one using this particular application   I convert the input to HTML in the code behind and insert it into my database

User · Answer

I see there s a lot written about this   and I didn t see this mentioned  This has been available since  NET Framework 4 5 The ValidateRequestMode setting for a control is a great option  This way the other controls on the page are still protected  No web config changes needed   protected void Page Load object sender  EventArgs e          txtMachKey ValidateRequestMode   ValidateRequestMode Disabled

User · Answer

Another solution is   protected void Application Start                 RequestValidator Current   new MyRequestValidator       public class MyRequestValidator  RequestValidator       protected override bool IsValidRequestString HttpContext context  string value  RequestValidationSource requestValidationSource  string collectionKey  out int validationFailureIndex                bool result   base IsValidRequestString context  value  requestValidationSource  collectionKey  out validationFailureIndex            if   result                           Write your validation here             if  requestValidationSource    RequestValidationSource Form                    requestValidationSource    RequestValidationSource QueryString                   return true     Suppress error message                   return result

User · Answer

For those who are not using model binding  who are extracting each parameter from the Request Form  who are sure the input text will cause no harm  there is another way  Not a great solution but it will do the job     From client side  encode it as uri then send it  e g     encodeURIComponent     MsgBody   val         From server side  accept it and decode it as uri  e g     string temp    string IsNullOrEmpty HttpContext Current Request Form  MsgBody      System Web HttpUtility UrlDecode HttpContext Current Request Form  MsgBody       null      or    string temp    string IsNullOrEmpty HttpContext Current Request Form  MsgBody      System Uri UnescapeDataString HttpContext Current Request Form  MsgBody       null     please look for the differences between UrlDecode and UnescapeDataString

User · Answer

You should use the Server HtmlEncode method to protect your site from dangerous input   More info here

User · Answer

I found a solution that uses JavaScript to encode the data  which is decoded in  NET  and doesn t require jQuery     Make the textbox an HTML element  like textarea  instead of an ASP one  Add a hidden field  Add the following JavaScript function to your header        function boo             targetText   document getElementById  HiddenField1            sourceText   document getElementById  userbox            targetText value   escape sourceText innerText            In your textarea  include an onchange that calls boo      lt textarea id  userbox   onchange  boo     gt  lt  textarea gt    Finally  in  NET  use  string val   Server UrlDecode HiddenField1 Value     I am aware that this is one-way - if you need two-way you ll have to get creative  but this provides a solution if you cannot edit the web config  Here s an example I  MC9000  came up with and use via jQuery     document  ready function               txtHTML   change function              var currentText       txtHTML   text            currentText   escape currentText      Escapes the HTML including quotations  etc             hidHTML   val currentText      Set the hidden field                 Intercept the postback         btnMyPostbackButton   click function                  txtHTML   val         Clear the textarea before POSTing                                   If you don t clear it  it will give you                                   the error due to the HTML in the textarea          return true     Post back                 And the markup    lt asp HiddenField ID  hidHTML  runat  server    gt   lt textarea id  txtHTML  gt  lt  textarea gt   lt asp Button ID  btnMyPostbackButton  runat  server  Text  Post Form    gt    This works great  If a hacker tries to post via bypassing JavaScript  they they will just see the error  You can save all this data encoded in a database as well  then unescape it  on the server side   and parse  amp  check for attacks before displaying elsewhere

User · Answer

If you are on  NET 4 0 make sure you add this in your web config file inside the  lt system web gt  tags    lt httpRuntime requestValidationMode  2 0    gt      In  NET 2 0  request validation only applied to aspx requests  In  NET 4 0 this was expanded to include all requests  You can revert to only performing XSS validation when processing  aspx by specifying   requestValidationMode  2 0    You can disable request validate entirely by specifying   validateRequest  false

User · Answer

I ended up using JavaScript before each postback to check for the characters you didn t want  such as    lt asp Button runat  server  ID  saveButton  Text  Save  CssClass  saveButton  OnClientClick  return checkFields      gt   function checkFields         var tbs   new Array        tbs   document getElementsByTagName  input        var isValid   true      for  i 0  i lt tbs length  i              if  tbs i  type     text                 if  tbs i  value indexOf   lt       -1    tbs i  value indexOf   gt       -1                    alert   lt  gt  symbols not allowed                     isValid   false                                    return isValid      Granted my page is mostly data entry  and there are very few elements that do postbacks  but at least their data is retained

User · Answer

You can use JavaScript to encode the values before sending to the server  if that suits your needs  see this answer

User · Answer

In the web config file  within the  tags  insert the httpRuntime element with the attribute requestValidationMode  2 0   Also add the validateRequest  false  attribute in the pages element   Example    lt configuration gt     lt system web gt      lt httpRuntime requestValidationMode  2 0    gt     lt  system web gt     lt pages validateRequest  false  gt     lt  pages gt   lt  configuration gt

User · Answer

You should use the Server HtmlEncode method to protect your site from dangerous input   More info here

User · Answer

Please bear in mind that some  NET controls will automatically HTML encode the output  For instance  setting the  Text property on a TextBox control will automatically encode it  That specifically means converting  lt  into  amp lt    gt  into  amp gt  and  amp  into  amp amp   So be wary of doing this     myTextBox Text   Server HtmlEncode myStringFromDatabase      Pseudo code   However  the  Text property for HyperLink  Literal and Label won t HTML encode things  so wrapping Server HtmlEncode    around anything being set on these properties is a must if you want to prevent  lt script gt  window location    http   www google com    lt  script gt  from being output into your page and subsequently executed   Do a little experimenting to see what gets encoded and what doesn t

User · Answer

If you re using framework 4 0 then the entry in the web config   lt pages validateRequest  false        lt configuration gt       lt system web gt           lt pages validateRequest  false    gt       lt  system web gt   lt  configuration gt    If you re using framework 4 5 then the entry in the web config  requestValidationMode  2 0     lt system web gt       lt compilation debug  true  targetFramework  4 5    gt       lt httpRuntime targetFramework  4 5  requestValidationMode  2 0   gt   lt  system web gt    If you want for only single page then  In you aspx file you should put the first line as this     lt    Page EnableEventValidation  false    gt    if you already have something like   lt    Page so just add the rest    EnableEventValidation  false      I recommend not to do it

User · Answer

For ASP NET 4 0  you can allow markup as input for specific pages instead of the whole site by putting it all in a  lt location gt  element   This will make sure all your other pages are safe   You do NOT need to put ValidateRequest  false  in your  aspx page    lt configuration gt         lt location path  MyFolder  aspx  gt       lt system web gt         lt pages validateRequest  false    gt         lt httpRuntime requestValidationMode  2 0    gt       lt  system web gt     lt  location gt       lt  configuration gt    It is safer to control this inside your web config  because you can see at a site level which pages allow markup as input   You still need to programmatically validate input on pages where request validation is disabled

User · Answer

If you are on  NET 4 0 make sure you add this in your web config file inside the  lt system web gt  tags    lt httpRuntime requestValidationMode  2 0    gt      In  NET 2 0  request validation only applied to aspx requests  In  NET 4 0 this was expanded to include all requests  You can revert to only performing XSS validation when processing  aspx by specifying   requestValidationMode  2 0    You can disable request validate entirely by specifying   validateRequest  false

User · Answer

Last but not least  please note ASP NET Data Binding controls automatically encode values during data binding  This changes the default behavior of all ASP NET controls  TextBox  Label etc  contained in the ItemTemplate  The following sample demonstrates  ValidateRequest is set to false    aspx   lt    Page Language  C   ValidateRequest  false  AutoEventWireup  true  CodeBehind  Default aspx cs  Inherits  WebApplication17  Default    gt   lt html gt   lt body gt       lt form runat  server  gt           lt asp FormView ID  FormView1  runat  server  ItemType  WebApplication17 S  SelectMethod  FormView1 GetItem  gt               lt ItemTemplate gt                   lt asp TextBox ID  TextBox1  runat  server  gt  lt  asp TextBox gt                   lt asp Button ID  Button1  runat  server  Text  Button  OnClick  Button1 Click    gt                   lt asp Label ID  Label1  runat  server  Text   lt     Item Text   gt   gt  lt  asp Label gt                   lt asp TextBox ID  TextBox2  runat  server  Text   lt     Item Text   gt   gt  lt  asp TextBox gt               lt  ItemTemplate gt           lt  asp FormView gt       lt  form gt         code behind  public partial class  Default   Page       S s   new S         protected void Button1 Click object sender  EventArgs e                s Text     TextBox FormView1 FindControl  TextBox1    Text          FormView1 DataBind               public S FormView1 GetItem int  id                return s           public class S       public string Text   get  set         Case submit value   amp  39    Label1 Text value   amp  39   TextBox2 Text value   amp amp  39    Case submit value   lt script gt alert  attack     lt  script gt    Label1 Text value   lt script gt alert  attack     lt  script gt   TextBox2 Text value   amp lt script amp gt alert  amp  39 attack  amp  39    amp lt  script amp gt

User · Answer

None of the suggestions worked for me   I did not want to turn off this feature for the whole website anyhow because 99  time I do not want my users placing HTML on web forms   I just created my own work around method since I m the only one using this particular application   I convert the input to HTML in the code behind and insert it into my database

User · Answer

For those who are not using model binding  who are extracting each parameter from the Request Form  who are sure the input text will cause no harm  there is another way  Not a great solution but it will do the job     From client side  encode it as uri then send it  e g     encodeURIComponent     MsgBody   val         From server side  accept it and decode it as uri  e g     string temp    string IsNullOrEmpty HttpContext Current Request Form  MsgBody      System Web HttpUtility UrlDecode HttpContext Current Request Form  MsgBody       null      or    string temp    string IsNullOrEmpty HttpContext Current Request Form  MsgBody      System Uri UnescapeDataString HttpContext Current Request Form  MsgBody       null     please look for the differences between UrlDecode and UnescapeDataString

User · Answer

in my case  using asp Textbox control  Asp net 4 5   instead of setting the all page for validateRequest  false   i used    lt asp TextBox runat  server  ID  mainTextBox              ValidateRequestMode  Disabled    gt  lt  asp TextBox gt    on the Textbox that caused the exception

User · Answer

If you re just looking to tell your users that  lt  and   are not to be used BUT  you don t want the entire form processed posted back  and lose all the input  before-hand could you not simply put in a validator around the field to screen for those  and maybe other potentially dangerous  characters

User · Answer

None of the suggestions worked for me   I did not want to turn off this feature for the whole website anyhow because 99  time I do not want my users placing HTML on web forms   I just created my own work around method since I m the only one using this particular application   I convert the input to HTML in the code behind and insert it into my database

User · Answer

As indicated in my comment to Sel s answer  this is our extension to a custom request validator   public class SkippableRequestValidator   RequestValidator       protected override bool IsValidRequestString HttpContext context  string value  RequestValidationSource requestValidationSource  string collectionKey  out int validationFailureIndex                if  collectionKey    null  amp  amp  collectionKey EndsWith   NoValidation                          validationFailureIndex   0              return true                     return base IsValidRequestString context  value  requestValidationSource  collectionKey  out validationFailureIndex

User · Answer

As long as these are only   lt   and      and not the double quote itself  characters and you re using them in context like  lt input value  this    gt   you re safe  while for  lt textarea gt this one lt  textarea gt  you would be vulnerable of course   That may simplify your situation  but for anything more use one of other posted solutions

User · Answer

Use the Server HtmlEncode  yourtext

User · Answer

If you don t want to disable ValidateRequest you need to implement a JavaScript function in order to avoid the exception  It is not the best option  but it works   function AlphanumericValidation evt        var charCode    evt charCode    evt charCode     evt keyCode    evt keyCode             evt which    evt which   0            User type Enter key     if  charCode    13                   Do something  set controls focus or do anything         return false                User can not type non alphanumeric characters     if    charCode  lt   48                                   charCode  gt  122                                    charCode  gt  57   amp  amp   charCode  lt  65                 charCode  gt  90   amp  amp   charCode  lt  97                             Show a message or do something         return false            Then in code behind  on the PageLoad event  add the attribute to your control with the next code   Me TextBox1 Attributes Add  OnKeyPress    return AlphanumericValidation event

User · Answer

There s a different solution to this error if you re using ASP NET MVC    ASP NET MVC     pages validateRequest false doesn   t work  Why is ValidateInput False  not working  ASP NET MVC RC1  VALIDATEINPUT  A POTENTIAL DANGEROUS REQUEST AND THE PITFALL   C  sample    HttpPost  ValidateInput false   public ActionResult Edit FormCollection collection                   Visual Basic sample    lt AcceptVerbs HttpVerbs Post   ValidateInput False  gt    Function Edit ByVal collection As FormCollection  As ActionResult         End Function

User · Answer

I think you are attacking it from the wrong angle by trying to encode all posted data  Note that a  quot  lt  quot  could also come from other outside sources  like a database field  a configuration  a file  a feed and so on  Furthermore   quot  lt  quot  is not inherently dangerous  It s only dangerous in a specific context  when writing strings that haven t been encoded to HTML output  because of XSS   In other contexts different sub-strings are dangerous  for example  if you write an user-provided URL into a link  the sub-string  quot javascript  quot  may be dangerous  The single quote character on the other hand is dangerous when interpolating strings in SQL queries  but perfectly safe if it is a part of a name submitted from a form or read from a database field  The bottom line is  you can t filter random input for dangerous characters  because any character may be dangerous under the right circumstances  You should encode at the point where some specific characters may become dangerous because they cross into a different sub-language where they have special meaning  When you write a string to HTML  you should encode characters that have special meaning in HTML  using Server HtmlEncode  If you pass a string to a dynamic SQL statement  you should encode different characters  or better  let the framework do it for you by using prepared statements or the like    When you are sure you HTML-encode everywhere you pass strings to HTML  then set ValidateRequest  quot false quot  in the  lt    Page       gt  directive in your  aspx file s   In  NET 4 you may need to do a little more  Sometimes it s necessary to also add  lt httpRuntime requestValidationMode  quot 2 0 quot    gt  to web config  reference

User · Answer

I think you are attacking it from the wrong angle by trying to encode all posted data  Note that a  quot  lt  quot  could also come from other outside sources  like a database field  a configuration  a file  a feed and so on  Furthermore   quot  lt  quot  is not inherently dangerous  It s only dangerous in a specific context  when writing strings that haven t been encoded to HTML output  because of XSS   In other contexts different sub-strings are dangerous  for example  if you write an user-provided URL into a link  the sub-string  quot javascript  quot  may be dangerous  The single quote character on the other hand is dangerous when interpolating strings in SQL queries  but perfectly safe if it is a part of a name submitted from a form or read from a database field  The bottom line is  you can t filter random input for dangerous characters  because any character may be dangerous under the right circumstances  You should encode at the point where some specific characters may become dangerous because they cross into a different sub-language where they have special meaning  When you write a string to HTML  you should encode characters that have special meaning in HTML  using Server HtmlEncode  If you pass a string to a dynamic SQL statement  you should encode different characters  or better  let the framework do it for you by using prepared statements or the like    When you are sure you HTML-encode everywhere you pass strings to HTML  then set ValidateRequest  quot false quot  in the  lt    Page       gt  directive in your  aspx file s   In  NET 4 you may need to do a little more  Sometimes it s necessary to also add  lt httpRuntime requestValidationMode  quot 2 0 quot    gt  to web config  reference

User · Answer

Last but not least  please note ASP NET Data Binding controls automatically encode values during data binding  This changes the default behavior of all ASP NET controls  TextBox  Label etc  contained in the ItemTemplate  The following sample demonstrates  ValidateRequest is set to false    aspx   lt    Page Language  C   ValidateRequest  false  AutoEventWireup  true  CodeBehind  Default aspx cs  Inherits  WebApplication17  Default    gt   lt html gt   lt body gt       lt form runat  server  gt           lt asp FormView ID  FormView1  runat  server  ItemType  WebApplication17 S  SelectMethod  FormView1 GetItem  gt               lt ItemTemplate gt                   lt asp TextBox ID  TextBox1  runat  server  gt  lt  asp TextBox gt                   lt asp Button ID  Button1  runat  server  Text  Button  OnClick  Button1 Click    gt                   lt asp Label ID  Label1  runat  server  Text   lt     Item Text   gt   gt  lt  asp Label gt                   lt asp TextBox ID  TextBox2  runat  server  Text   lt     Item Text   gt   gt  lt  asp TextBox gt               lt  ItemTemplate gt           lt  asp FormView gt       lt  form gt         code behind  public partial class  Default   Page       S s   new S         protected void Button1 Click object sender  EventArgs e                s Text     TextBox FormView1 FindControl  TextBox1    Text          FormView1 DataBind               public S FormView1 GetItem int  id                return s           public class S       public string Text   get  set         Case submit value   amp  39    Label1 Text value   amp  39   TextBox2 Text value   amp amp  39    Case submit value   lt script gt alert  attack     lt  script gt    Label1 Text value   lt script gt alert  attack     lt  script gt   TextBox2 Text value   amp lt script amp gt alert  amp  39 attack  amp  39    amp lt  script amp gt

User · Answer

If you re just looking to tell your users that  lt  and   are not to be used BUT  you don t want the entire form processed posted back  and lose all the input  before-hand could you not simply put in a validator around the field to screen for those  and maybe other potentially dangerous  characters

User · Answer

The other solutions here are nice  however it s a bit of a royal pain in the rear to have to apply  AllowHtml  to every single Model property  especially if you have over 100 models on a decent sized site   If like me  you want to turn this  IMHO pretty pointless  feature off site wide you can override the Execute   method in your base controller  if you don t already have a base controller I suggest you make one  they can be pretty useful for applying common functionality        protected override void Execute RequestContext requestContext                   Disable requestion validation  security  across the whole site         ValidateRequest   false          base Execute requestContext           Just make sure that you are HTML encoding everything that is pumped out to the views that came from user input  it s default behaviour in ASP NET MVC 3 with Razor anyway  so unless for some bizarre reason you are using Html Raw   you shouldn t require this feature

User · Answer

I guess you could do it in a module  but that leaves open some questions  what if you want to save the input to a database  Suddenly because you re saving encoded data to the database you end up trusting input from it which is probably a bad idea  Ideally you store raw unencoded data in the database and the encode every time   Disabling the protection on a per page level and then encoding each time is a better option   Rather than using Server HtmlEncode you should look at the newer  more complete Anti-XSS library from the Microsoft ACE team

User · Answer

As long as these are only   lt   and      and not the double quote itself  characters and you re using them in context like  lt input value  this    gt   you re safe  while for  lt textarea gt this one lt  textarea gt  you would be vulnerable of course   That may simplify your situation  but for anything more use one of other posted solutions

User · Answer

I faced this same problem while sending some email templates from aspx page to code behind      So I tried to solve this by adding     lt httpRuntime requestValidationMode  2 0    gt    in my web config under enter code here  but that did not helped me unless I putted  ValidateRequest  false    attrribute in the page directive of the aspx page

User · Answer

You can catch that error in Global asax   I still want to validate  but show an appropriate message    On the blog listed below  a sample like this was available         void Application Error object sender  EventArgs e                Exception ex   Server GetLastError             if  ex is HttpRequestValidationException                        Response Clear                Response StatusCode   200              Response Write    html                 Response End                      Redirecting to another page also seems like a reasonable response to the exception   http   www romsteady net blog 2007 06 how-to-catch-httprequestvalidationexcep html

User · Answer

In  Net 4 0 and onwards  which is the usual case  put the following setting in system web   lt system web gt        lt httpRuntime requestValidationMode  2 0    gt

User · Answer

It seems no one has mentioned the below yet  but it fixes the issue for me   And before anyone says yeah it s Visual Basic    yuck    lt    Page Language  vb  AutoEventWireup  false  CodeBehind  Example aspx vb  Inherits  Example Example    ValidateRequest  false      gt    I don t know if there are any downsides  but for me this worked amazing

User · Answer

You can automatically HTML encode field in custom Model Binder  My solution some different  I put error in ModelState and display error message near the field  It s easy to modify this code for automatically encode    public class AppModelBinder   DefaultModelBinder               protected override object CreateModel ControllerContext controllerContext  ModelBindingContext bindingContext  Type modelType                        try                               return base CreateModel controllerContext  bindingContext  modelType                             catch  HttpRequestValidationException e                                HandleHttpRequestValidationException bindingContext  e                   return null     Encode here                                 protected override object GetPropertyValue ControllerContext controllerContext  ModelBindingContext bindingContext              PropertyDescriptor propertyDescriptor  IModelBinder propertyBinder                        try                               return base GetPropertyValue controllerContext  bindingContext  propertyDescriptor  propertyBinder                             catch  HttpRequestValidationException e                                HandleHttpRequestValidationException bindingContext  e                   return null     Encode here                                  protected void HandleHttpRequestValidationException ModelBindingContext bindingContext  HttpRequestValidationException ex                        var valueProviderCollection   bindingContext ValueProvider as ValueProviderCollection              if  valueProviderCollection    null                                ValueProviderResult valueProviderResult   valueProviderCollection GetValue bindingContext ModelName  skipValidation  true                   bindingContext ModelState SetModelValue bindingContext ModelName  valueProviderResult                              string errorMessage   string Format CultureInfo CurrentCulture    0  contains invalid symbols   lt    amp                         bindingContext ModelMetadata DisplayName                bindingContext ModelState AddModelError bindingContext ModelName  errorMessage                     In Application Start   ModelBinders Binders DefaultBinder   new AppModelBinder      Note that it works only for form fields  Dangerous value not passed to controller model  but stored in ModelState and can be redisplayed on form with error message    Dangerous chars in URL may be handled this way   private void Application Error object sender  EventArgs e        Exception exception   Server GetLastError        HttpContext httpContext   HttpContext Current       HttpException httpException   exception as HttpException      if  httpException    null                RouteData routeData   new RouteData            routeData Values Add  controller    Error            var httpCode   httpException GetHttpCode            switch  httpCode                        case  int HttpStatusCode BadRequest    400                     if  httpException Message Contains  Request Path                                          httpContext Response Clear                        RequestContext requestContext   new RequestContext new HttpContextWrapper Context   routeData                       requestContext RouteData Values  action     InvalidUrl                       requestContext RouteData Values  controller     Error                       IControllerFactory factory   ControllerBuilder Current GetControllerFactory                        IController controller   factory CreateController requestContext   Error                        controller Execute requestContext                       httpContext Server ClearError                        Response StatusCode    int HttpStatusCode BadRequest    400                                       break                      ErrorController     public class ErrorController   Controller       public ActionResult InvalidUrl              return View

User · Answer

A solution  I don t like to turn off the post validation  validateRequest  false    On the other hand it is not acceptable that the application crashes just because an innocent user happens to type  lt x or something    Therefore I wrote a client side javascript function  xssCheckValidates  that makes a preliminary check  This function is called when there is an attempt to post the form data  like this    lt form id  form1  runat  server  onsubmit  return xssCheckValidates     gt    The function is quite simple and could be improved but it is doing its job   Please notice that the purpose of this is not to protect the system from hacking  it is meant to protect the users from a bad experience  The request validation done at the server is still turned on  and that is  part of  the protection of the system  to the extent it is capable of doing that     The reason i say  part of  here is because I have heard that the built in request validation might not be enough  so other complementary means might be necessary to have full protection  But  again  the javascript function I present here has nothing to do with protecting the system  It is only meant to make sure the users will not have a bad experience   You can try it out here    x000D   x000D      function xssCheckValidates     x000D        var valid   true  x000D        var inp   document querySelectorAll  x000D             input not  disabled  not  readonly   not  type hidden      x000D              textarea not  disabled  not  readonly      x000D        for  var i   0  i  lt  inp length  i      x000D          if   inp i  readOnly    x000D            if  inp i  value indexOf   lt     gt  -1    x000D              valid   false  x000D              break  x000D              x000D            if  inp i  value indexOf   amp      gt  -1    x000D              valid   false  x000D              break  x000D              x000D            x000D          x000D        if  valid    x000D          return true  x000D          else   x000D          alert  In one or more of the text fields  you have typed r nthe character   lt   or the character sequence   amp     r n r nThis is unfortunately not allowed since r nit can be used in hacking attempts  r n r nPlease edit the field and try again     x000D          return false  x000D          x000D        x000D   lt form onsubmit  return xssCheckValidates      gt  x000D    Try to type  lt  or  amp    lt br  gt  x000D     lt input type  text    gt  lt br  gt  x000D     lt textarea gt  lt  textarea gt  x000D     lt input type  submit  value  Send    gt  x000D   lt  form gt  x000D   x000D   x000D

User · Answer

In ASP NET  you can catch the exception and do something about it  such as displaying a friendly message or redirect to another page    Also there is a possibility that you can handle the validation by yourself     Display friendly message   protected override void OnError EventArgs e        base OnError e       var ex   Server GetLastError   GetBaseException        if  ex is System Web HttpRequestValidationException                Response Clear            Response Write  Invalid characters         Response Write HttpUtility HtmlEncode ex Message            Response StatusCode   200          Response End

User · Answer

Please bear in mind that some  NET controls will automatically HTML encode the output  For instance  setting the  Text property on a TextBox control will automatically encode it  That specifically means converting  lt  into  amp lt    gt  into  amp gt  and  amp  into  amp amp   So be wary of doing this     myTextBox Text   Server HtmlEncode myStringFromDatabase      Pseudo code   However  the  Text property for HyperLink  Literal and Label won t HTML encode things  so wrapping Server HtmlEncode    around anything being set on these properties is a must if you want to prevent  lt script gt  window location    http   www google com    lt  script gt  from being output into your page and subsequently executed   Do a little experimenting to see what gets encoded and what doesn t

User · Answer

I think you are attacking it from the wrong angle by trying to encode all posted data  Note that a  quot  lt  quot  could also come from other outside sources  like a database field  a configuration  a file  a feed and so on  Furthermore   quot  lt  quot  is not inherently dangerous  It s only dangerous in a specific context  when writing strings that haven t been encoded to HTML output  because of XSS   In other contexts different sub-strings are dangerous  for example  if you write an user-provided URL into a link  the sub-string  quot javascript  quot  may be dangerous  The single quote character on the other hand is dangerous when interpolating strings in SQL queries  but perfectly safe if it is a part of a name submitted from a form or read from a database field  The bottom line is  you can t filter random input for dangerous characters  because any character may be dangerous under the right circumstances  You should encode at the point where some specific characters may become dangerous because they cross into a different sub-language where they have special meaning  When you write a string to HTML  you should encode characters that have special meaning in HTML  using Server HtmlEncode  If you pass a string to a dynamic SQL statement  you should encode different characters  or better  let the framework do it for you by using prepared statements or the like    When you are sure you HTML-encode everywhere you pass strings to HTML  then set ValidateRequest  quot false quot  in the  lt    Page       gt  directive in your  aspx file s   In  NET 4 you may need to do a little more  Sometimes it s necessary to also add  lt httpRuntime requestValidationMode  quot 2 0 quot    gt  to web config  reference

User · Answer

Cause  ASP NET by default validates all input controls for potentially unsafe contents that can lead to cross-site scripting  XSS  and SQL injections  Thus it disallows such content by throwing the above exception  By default it is recommended to allow this check to happen on each postback   Solution  On many occasions you need to submit HTML content to your page through Rich TextBoxes or Rich Text Editors  In that case you can avoid this exception by setting the ValidateRequest tag in the  Page directive to false    lt    Page Language  C   AutoEventWireup  true  ValidateRequest    false    gt    This will disable the validation of requests for the page you have set the ValidateRequest flag to false  If you want to disable this  check throughout your web application  you   ll need to set it to false in your web config  lt system web  section   lt pages validateRequest   false    gt    For  NET 4 0 or higher frameworks you will need to also add the following line in the  lt system web  section to make the above work    lt httpRuntime requestValidationMode    2 0    gt    That   s it  I hope this helps you in getting rid of the above issue   Reference by  ASP Net Error  A potentially dangerous Request Form value was detected from the client

User · Answer

I know this question is about form posting  but I would like to add some details for people who received this error on others circumstances  It could also occur on a handler used to implement a web service     Suppose your web client sends POST or PUT requests using ajax and sends either json or xml text or raw data  a file content  to your web service  Because your web service does not need to get any information from a Content-Type header  your JavaScript code did not set this header to your ajax request  But if you do not set this header on a POST PUT ajax request  Safari may add this header   Content-Type  application x-www-form-urlencoded   I observed that on Safari 6 on iPhone  but others Safari versions OS or Chrome may do the same  So when receiving this Content-Type header some part of  NET Framework assume the request body data structure corresponds to an html form posting while it does not and rose an HttpRequestValidationException exception  First thing to do is obviously to always set Content-Type header to anything but a form MIME type on a POST PUT ajax request even it is useless to your web service   I also discovered this detail  On these circumstances  the HttpRequestValidationException exception is rose when your code tries to access HttpRequest Params collection  But surprisingly  this exception is not rose when it accesses HttpRequest ServerVariables collection  This shows that while these two collections seem to be nearly identical  one accesses request data through security checks and the other one does not

User · Answer

Disable the page validation if you really need the special characters like   gt      lt   etc  Then ensure that when the user input is displayed  the data is HTML-encoded    There is a security vulnerability with the page validation  so it can be bypassed  Also the page validation shouldn t be solely relied on   See  http   web archive org web 20080913071637 http   www procheckup com 80 PDFs bypassing-dot-NET-ValidateRequest pdf

User · Answer

You should use the Server HtmlEncode method to protect your site from dangerous input   More info here

User · Answer

How to fix this issue for AjaxExtControls in ASP NET 4 6 2   We had the same problem with AjaxExtControls rich text editor  This issue started right after upgrading from  NET 2 0 to  NET 4 5  I looked at all SOF answers but could not find a solution that does not compromise with the security provided by  NET 4 5   Fix 1 Not Recommended as it can degrade application security    I tested after changing this attribute in  requestValidationMode    2 0 and it worked but I was concerned about the security features  So this is fix is like degrading the security for entire application   Fix 2  Recommended   Since this issue was only occurring with one of AjaxExtControl  I was finally able to solve this issue using the simple code below   editorID value   editorID value replace   gt  g    amp gt     editorID value   editorID value replace   lt  g    amp lt       This code is executed on client side  javascript  before sending the request to server  Note that the editorID is not the ID that we have on our html aspx pages but it is the id of the rich text editor that AjaxExtControl internally uses

User · Answer

Another solution is   protected void Application Start                 RequestValidator Current   new MyRequestValidator       public class MyRequestValidator  RequestValidator       protected override bool IsValidRequestString HttpContext context  string value  RequestValidationSource requestValidationSource  string collectionKey  out int validationFailureIndex                bool result   base IsValidRequestString context  value  requestValidationSource  collectionKey  out validationFailureIndex            if   result                           Write your validation here             if  requestValidationSource    RequestValidationSource Form                    requestValidationSource    RequestValidationSource QueryString                   return true     Suppress error message                   return result

User · Answer

A solution  I don t like to turn off the post validation  validateRequest  false    On the other hand it is not acceptable that the application crashes just because an innocent user happens to type  lt x or something    Therefore I wrote a client side javascript function  xssCheckValidates  that makes a preliminary check  This function is called when there is an attempt to post the form data  like this    lt form id  form1  runat  server  onsubmit  return xssCheckValidates     gt    The function is quite simple and could be improved but it is doing its job   Please notice that the purpose of this is not to protect the system from hacking  it is meant to protect the users from a bad experience  The request validation done at the server is still turned on  and that is  part of  the protection of the system  to the extent it is capable of doing that     The reason i say  part of  here is because I have heard that the built in request validation might not be enough  so other complementary means might be necessary to have full protection  But  again  the javascript function I present here has nothing to do with protecting the system  It is only meant to make sure the users will not have a bad experience   You can try it out here    x000D   x000D      function xssCheckValidates     x000D        var valid   true  x000D        var inp   document querySelectorAll  x000D             input not  disabled  not  readonly   not  type hidden      x000D              textarea not  disabled  not  readonly      x000D        for  var i   0  i  lt  inp length  i      x000D          if   inp i  readOnly    x000D            if  inp i  value indexOf   lt     gt  -1    x000D              valid   false  x000D              break  x000D              x000D            if  inp i  value indexOf   amp      gt  -1    x000D              valid   false  x000D              break  x000D              x000D            x000D          x000D        if  valid    x000D          return true  x000D          else   x000D          alert  In one or more of the text fields  you have typed r nthe character   lt   or the character sequence   amp     r n r nThis is unfortunately not allowed since r nit can be used in hacking attempts  r n r nPlease edit the field and try again     x000D          return false  x000D          x000D        x000D   lt form onsubmit  return xssCheckValidates      gt  x000D    Try to type  lt  or  amp    lt br  gt  x000D     lt input type  text    gt  lt br  gt  x000D     lt textarea gt  lt  textarea gt  x000D     lt input type  submit  value  Send    gt  x000D   lt  form gt  x000D   x000D   x000D

User · Answer

I think you are attacking it from the wrong angle by trying to encode all posted data  Note that a  quot  lt  quot  could also come from other outside sources  like a database field  a configuration  a file  a feed and so on  Furthermore   quot  lt  quot  is not inherently dangerous  It s only dangerous in a specific context  when writing strings that haven t been encoded to HTML output  because of XSS   In other contexts different sub-strings are dangerous  for example  if you write an user-provided URL into a link  the sub-string  quot javascript  quot  may be dangerous  The single quote character on the other hand is dangerous when interpolating strings in SQL queries  but perfectly safe if it is a part of a name submitted from a form or read from a database field  The bottom line is  you can t filter random input for dangerous characters  because any character may be dangerous under the right circumstances  You should encode at the point where some specific characters may become dangerous because they cross into a different sub-language where they have special meaning  When you write a string to HTML  you should encode characters that have special meaning in HTML  using Server HtmlEncode  If you pass a string to a dynamic SQL statement  you should encode different characters  or better  let the framework do it for you by using prepared statements or the like    When you are sure you HTML-encode everywhere you pass strings to HTML  then set ValidateRequest  quot false quot  in the  lt    Page       gt  directive in your  aspx file s   In  NET 4 you may need to do a little more  Sometimes it s necessary to also add  lt httpRuntime requestValidationMode  quot 2 0 quot    gt  to web config  reference

User · Answer

I found a solution that uses JavaScript to encode the data  which is decoded in  NET  and doesn t require jQuery     Make the textbox an HTML element  like textarea  instead of an ASP one  Add a hidden field  Add the following JavaScript function to your header        function boo             targetText   document getElementById  HiddenField1            sourceText   document getElementById  userbox            targetText value   escape sourceText innerText            In your textarea  include an onchange that calls boo      lt textarea id  userbox   onchange  boo     gt  lt  textarea gt    Finally  in  NET  use  string val   Server UrlDecode HiddenField1 Value     I am aware that this is one-way - if you need two-way you ll have to get creative  but this provides a solution if you cannot edit the web config  Here s an example I  MC9000  came up with and use via jQuery     document  ready function               txtHTML   change function              var currentText       txtHTML   text            currentText   escape currentText      Escapes the HTML including quotations  etc             hidHTML   val currentText      Set the hidden field                 Intercept the postback         btnMyPostbackButton   click function                  txtHTML   val         Clear the textarea before POSTing                                   If you don t clear it  it will give you                                   the error due to the HTML in the textarea          return true     Post back                 And the markup    lt asp HiddenField ID  hidHTML  runat  server    gt   lt textarea id  txtHTML  gt  lt  textarea gt   lt asp Button ID  btnMyPostbackButton  runat  server  Text  Post Form    gt    This works great  If a hacker tries to post via bypassing JavaScript  they they will just see the error  You can save all this data encoded in a database as well  then unescape it  on the server side   and parse  amp  check for attacks before displaying elsewhere

User · Answer

Last but not least  please note ASP NET Data Binding controls automatically encode values during data binding  This changes the default behavior of all ASP NET controls  TextBox  Label etc  contained in the ItemTemplate  The following sample demonstrates  ValidateRequest is set to false    aspx   lt    Page Language  C   ValidateRequest  false  AutoEventWireup  true  CodeBehind  Default aspx cs  Inherits  WebApplication17  Default    gt   lt html gt   lt body gt       lt form runat  server  gt           lt asp FormView ID  FormView1  runat  server  ItemType  WebApplication17 S  SelectMethod  FormView1 GetItem  gt               lt ItemTemplate gt                   lt asp TextBox ID  TextBox1  runat  server  gt  lt  asp TextBox gt                   lt asp Button ID  Button1  runat  server  Text  Button  OnClick  Button1 Click    gt                   lt asp Label ID  Label1  runat  server  Text   lt     Item Text   gt   gt  lt  asp Label gt                   lt asp TextBox ID  TextBox2  runat  server  Text   lt     Item Text   gt   gt  lt  asp TextBox gt               lt  ItemTemplate gt           lt  asp FormView gt       lt  form gt         code behind  public partial class  Default   Page       S s   new S         protected void Button1 Click object sender  EventArgs e                s Text     TextBox FormView1 FindControl  TextBox1    Text          FormView1 DataBind               public S FormView1 GetItem int  id                return s           public class S       public string Text   get  set         Case submit value   amp  39    Label1 Text value   amp  39   TextBox2 Text value   amp amp  39    Case submit value   lt script gt alert  attack     lt  script gt    Label1 Text value   lt script gt alert  attack     lt  script gt   TextBox2 Text value   amp lt script amp gt alert  amp  39 attack  amp  39    amp lt  script amp gt

User · Answer

Use the Server HtmlEncode  yourtext

User · Answer

You should use the Server HtmlEncode method to protect your site from dangerous input   More info here

User · Answer

In  Net 4 0 and onwards  which is the usual case  put the following setting in system web   lt system web gt        lt httpRuntime requestValidationMode  2 0    gt

User · Answer

For MVC  ignore input validation by adding        ValidateInput false     above each Action in the Controller

User · Answer

For MVC  ignore input validation by adding        ValidateInput false     above each Action in the Controller

User · Answer

in my case  using asp Textbox control  Asp net 4 5   instead of setting the all page for validateRequest  false   i used    lt asp TextBox runat  server  ID  mainTextBox              ValidateRequestMode  Disabled    gt  lt  asp TextBox gt    on the Textbox that caused the exception

User · Answer

For ASP NET 4 0  you can allow markup as input for specific pages instead of the whole site by putting it all in a  lt location gt  element   This will make sure all your other pages are safe   You do NOT need to put ValidateRequest  false  in your  aspx page    lt configuration gt         lt location path  MyFolder  aspx  gt       lt system web gt         lt pages validateRequest  false    gt         lt httpRuntime requestValidationMode  2 0    gt       lt  system web gt     lt  location gt       lt  configuration gt    It is safer to control this inside your web config  because you can see at a site level which pages allow markup as input   You still need to programmatically validate input on pages where request validation is disabled

User · Answer

I see there s a lot written about this   and I didn t see this mentioned  This has been available since  NET Framework 4 5 The ValidateRequestMode setting for a control is a great option  This way the other controls on the page are still protected  No web config changes needed   protected void Page Load object sender  EventArgs e          txtMachKey ValidateRequestMode   ValidateRequestMode Disabled

User · Answer

As long as these are only   lt   and      and not the double quote itself  characters and you re using them in context like  lt input value  this    gt   you re safe  while for  lt textarea gt this one lt  textarea gt  you would be vulnerable of course   That may simplify your situation  but for anything more use one of other posted solutions

User · Answer

I guess you could do it in a module  but that leaves open some questions  what if you want to save the input to a database  Suddenly because you re saving encoded data to the database you end up trusting input from it which is probably a bad idea  Ideally you store raw unencoded data in the database and the encode every time   Disabling the protection on a per page level and then encoding each time is a better option   Rather than using Server HtmlEncode you should look at the newer  more complete Anti-XSS library from the Microsoft ACE team

User · Answer

in my case  using asp Textbox control  Asp net 4 5   instead of setting the all page for validateRequest  false   i used    lt asp TextBox runat  server  ID  mainTextBox              ValidateRequestMode  Disabled    gt  lt  asp TextBox gt    on the Textbox that caused the exception

User · Answer

If you don t want to disable ValidateRequest you need to implement a JavaScript function in order to avoid the exception  It is not the best option  but it works   function AlphanumericValidation evt        var charCode    evt charCode    evt charCode     evt keyCode    evt keyCode             evt which    evt which   0            User type Enter key     if  charCode    13                   Do something  set controls focus or do anything         return false                User can not type non alphanumeric characters     if    charCode  lt   48                                   charCode  gt  122                                    charCode  gt  57   amp  amp   charCode  lt  65                 charCode  gt  90   amp  amp   charCode  lt  97                             Show a message or do something         return false            Then in code behind  on the PageLoad event  add the attribute to your control with the next code   Me TextBox1 Attributes Add  OnKeyPress    return AlphanumericValidation event

User · Answer

The answer to this question is simple   var varname   Request Unvalidated  parameter name      This would disable validation for the particular request

User · Answer

In ASP NET MVC you need to set requestValidationMode  2 0  and validateRequest  false  in web config  and apply a ValidateInput attribute to your controller action    lt httpRuntime requestValidationMode  2 0   gt    lt configuration gt       lt system web gt           lt pages validateRequest  false    gt       lt  system web gt   lt  configuration gt    and   Post  ValidateInput false   public ActionResult Edit string message

User · Answer

In ASP NET MVC you need to set requestValidationMode  2 0  and validateRequest  false  in web config  and apply a ValidateInput attribute to your controller action    lt httpRuntime requestValidationMode  2 0   gt    lt configuration gt       lt system web gt           lt pages validateRequest  false    gt       lt  system web gt   lt  configuration gt    and   Post  ValidateInput false   public ActionResult Edit string message

User · Answer

Try with      Server Encode   and      Server HtmlDecode     while sending and receiving

User · Answer

I guess you could do it in a module  but that leaves open some questions  what if you want to save the input to a database  Suddenly because you re saving encoded data to the database you end up trusting input from it which is probably a bad idea  Ideally you store raw unencoded data in the database and the encode every time   Disabling the protection on a per page level and then encoding each time is a better option   Rather than using Server HtmlEncode you should look at the newer  more complete Anti-XSS library from the Microsoft ACE team

User · Answer

For those of us still stuck on webforms I found the following solution that enables you to only disable the validation on one field   I would hate to disable it for the whole page    VB NET   Public Class UnvalidatedTextBox     Inherits TextBox     Protected Overrides Function LoadPostData postDataKey As String  postCollection As NameValueCollection  As Boolean         Return MyBase LoadPostData postDataKey  System Web HttpContext Current Request Unvalidated Form      End Function End Class   C    public class UnvalidatedTextBox   TextBox       protected override bool LoadPostData string postDataKey  NameValueCollection postCollection                return base LoadPostData postDataKey  System Web HttpContext Current Request Unvalidated Form             Now just use  lt prefix UnvalidatedTextBox id  test  runat  server    gt  instead of  lt asp TextBox  and it should allow all characters  this is perfect for password fields

User · Answer

Disable the page validation if you really need the special characters like   gt      lt   etc  Then ensure that when the user input is displayed  the data is HTML-encoded    There is a security vulnerability with the page validation  so it can be bypassed  Also the page validation shouldn t be solely relied on   See  http   web archive org web 20080913071637 http   www procheckup com 80 PDFs bypassing-dot-NET-ValidateRequest pdf

User · Answer

If you don t want to disable ValidateRequest you need to implement a JavaScript function in order to avoid the exception  It is not the best option  but it works   function AlphanumericValidation evt        var charCode    evt charCode    evt charCode     evt keyCode    evt keyCode             evt which    evt which   0            User type Enter key     if  charCode    13                   Do something  set controls focus or do anything         return false                User can not type non alphanumeric characters     if    charCode  lt   48                                   charCode  gt  122                                    charCode  gt  57   amp  amp   charCode  lt  65                 charCode  gt  90   amp  amp   charCode  lt  97                             Show a message or do something         return false            Then in code behind  on the PageLoad event  add the attribute to your control with the next code   Me TextBox1 Attributes Add  OnKeyPress    return AlphanumericValidation event

User · Answer

If you re using framework 4 0 then the entry in the web config   lt pages validateRequest  false        lt configuration gt       lt system web gt           lt pages validateRequest  false    gt       lt  system web gt   lt  configuration gt    If you re using framework 4 5 then the entry in the web config  requestValidationMode  2 0     lt system web gt       lt compilation debug  true  targetFramework  4 5    gt       lt httpRuntime targetFramework  4 5  requestValidationMode  2 0   gt   lt  system web gt    If you want for only single page then  In you aspx file you should put the first line as this     lt    Page EnableEventValidation  false    gt    if you already have something like   lt    Page so just add the rest    EnableEventValidation  false      I recommend not to do it

User · Answer

In  Net 4 0 and onwards  which is the usual case  put the following setting in system web   lt system web gt        lt httpRuntime requestValidationMode  2 0    gt

User · Answer

If you re just looking to tell your users that  lt  and   are not to be used BUT  you don t want the entire form processed posted back  and lose all the input  before-hand could you not simply put in a validator around the field to screen for those  and maybe other potentially dangerous  characters

User · Answer

Please bear in mind that some  NET controls will automatically HTML encode the output  For instance  setting the  Text property on a TextBox control will automatically encode it  That specifically means converting  lt  into  amp lt    gt  into  amp gt  and  amp  into  amp amp   So be wary of doing this     myTextBox Text   Server HtmlEncode myStringFromDatabase      Pseudo code   However  the  Text property for HyperLink  Literal and Label won t HTML encode things  so wrapping Server HtmlEncode    around anything being set on these properties is a must if you want to prevent  lt script gt  window location    http   www google com    lt  script gt  from being output into your page and subsequently executed   Do a little experimenting to see what gets encoded and what doesn t

User · Answer

You should use the Server HtmlEncode method to protect your site from dangerous input   More info here

User · Answer

You should use the Server HtmlEncode method to protect your site from dangerous input   More info here

User · Answer

If you re just looking to tell your users that  lt  and   are not to be used BUT  you don t want the entire form processed posted back  and lose all the input  before-hand could you not simply put in a validator around the field to screen for those  and maybe other potentially dangerous  characters

User · Answer

Cause  ASP NET by default validates all input controls for potentially unsafe contents that can lead to cross-site scripting  XSS  and SQL injections  Thus it disallows such content by throwing the above exception  By default it is recommended to allow this check to happen on each postback   Solution  On many occasions you need to submit HTML content to your page through Rich TextBoxes or Rich Text Editors  In that case you can avoid this exception by setting the ValidateRequest tag in the  Page directive to false    lt    Page Language  C   AutoEventWireup  true  ValidateRequest    false    gt    This will disable the validation of requests for the page you have set the ValidateRequest flag to false  If you want to disable this  check throughout your web application  you   ll need to set it to false in your web config  lt system web  section   lt pages validateRequest   false    gt    For  NET 4 0 or higher frameworks you will need to also add the following line in the  lt system web  section to make the above work    lt httpRuntime requestValidationMode    2 0    gt    That   s it  I hope this helps you in getting rid of the above issue   Reference by  ASP Net Error  A potentially dangerous Request Form value was detected from the client

User · Answer

In ASP NET MVC  starting in version 3   you can add the AllowHtml attribute to a property on your model   It allows a request to include HTML markup during model binding by skipping request validation for the property    AllowHtml  public string Description   get  set

User · Answer

As indicated in my comment to Sel s answer  this is our extension to a custom request validator   public class SkippableRequestValidator   RequestValidator       protected override bool IsValidRequestString HttpContext context  string value  RequestValidationSource requestValidationSource  string collectionKey  out int validationFailureIndex                if  collectionKey    null  amp  amp  collectionKey EndsWith   NoValidation                          validationFailureIndex   0              return true                     return base IsValidRequestString context  value  requestValidationSource  collectionKey  out validationFailureIndex

User · Answer

In ASP NET MVC you need to set requestValidationMode  2 0  and validateRequest  false  in web config  and apply a ValidateInput attribute to your controller action    lt httpRuntime requestValidationMode  2 0   gt    lt configuration gt       lt system web gt           lt pages validateRequest  false    gt       lt  system web gt   lt  configuration gt    and   Post  ValidateInput false   public ActionResult Edit string message

User · Answer

There s a different solution to this error if you re using ASP NET MVC    ASP NET MVC     pages validateRequest false doesn   t work  Why is ValidateInput False  not working  ASP NET MVC RC1  VALIDATEINPUT  A POTENTIAL DANGEROUS REQUEST AND THE PITFALL   C  sample    HttpPost  ValidateInput false   public ActionResult Edit FormCollection collection                   Visual Basic sample    lt AcceptVerbs HttpVerbs Post   ValidateInput False  gt    Function Edit ByVal collection As FormCollection  As ActionResult         End Function

User · Answer

Please bear in mind that some  NET controls will automatically HTML encode the output  For instance  setting the  Text property on a TextBox control will automatically encode it  That specifically means converting  lt  into  amp lt    gt  into  amp gt  and  amp  into  amp amp   So be wary of doing this     myTextBox Text   Server HtmlEncode myStringFromDatabase      Pseudo code   However  the  Text property for HyperLink  Literal and Label won t HTML encode things  so wrapping Server HtmlEncode    around anything being set on these properties is a must if you want to prevent  lt script gt  window location    http   www google com    lt  script gt  from being output into your page and subsequently executed   Do a little experimenting to see what gets encoded and what doesn t

User · Answer

I guess you could do it in a module  but that leaves open some questions  what if you want to save the input to a database  Suddenly because you re saving encoded data to the database you end up trusting input from it which is probably a bad idea  Ideally you store raw unencoded data in the database and the encode every time   Disabling the protection on a per page level and then encoding each time is a better option   Rather than using Server HtmlEncode you should look at the newer  more complete Anti-XSS library from the Microsoft ACE team

User · Answer

I think you are attacking it from the wrong angle by trying to encode all posted data  Note that a  quot  lt  quot  could also come from other outside sources  like a database field  a configuration  a file  a feed and so on  Furthermore   quot  lt  quot  is not inherently dangerous  It s only dangerous in a specific context  when writing strings that haven t been encoded to HTML output  because of XSS   In other contexts different sub-strings are dangerous  for example  if you write an user-provided URL into a link  the sub-string  quot javascript  quot  may be dangerous  The single quote character on the other hand is dangerous when interpolating strings in SQL queries  but perfectly safe if it is a part of a name submitted from a form or read from a database field  The bottom line is  you can t filter random input for dangerous characters  because any character may be dangerous under the right circumstances  You should encode at the point where some specific characters may become dangerous because they cross into a different sub-language where they have special meaning  When you write a string to HTML  you should encode characters that have special meaning in HTML  using Server HtmlEncode  If you pass a string to a dynamic SQL statement  you should encode different characters  or better  let the framework do it for you by using prepared statements or the like    When you are sure you HTML-encode everywhere you pass strings to HTML  then set ValidateRequest  quot false quot  in the  lt    Page       gt  directive in your  aspx file s   In  NET 4 you may need to do a little more  Sometimes it s necessary to also add  lt httpRuntime requestValidationMode  quot 2 0 quot    gt  to web config  reference

User · Answer

Try with      Server Encode   and      Server HtmlDecode     while sending and receiving

User · Answer

If you don t want to disable ValidateRequest you need to implement a JavaScript function in order to avoid the exception  It is not the best option  but it works   function AlphanumericValidation evt        var charCode    evt charCode    evt charCode     evt keyCode    evt keyCode             evt which    evt which   0            User type Enter key     if  charCode    13                   Do something  set controls focus or do anything         return false                User can not type non alphanumeric characters     if    charCode  lt   48                                   charCode  gt  122                                    charCode  gt  57   amp  amp   charCode  lt  65                 charCode  gt  90   amp  amp   charCode  lt  97                             Show a message or do something         return false            Then in code behind  on the PageLoad event  add the attribute to your control with the next code   Me TextBox1 Attributes Add  OnKeyPress    return AlphanumericValidation event

User · Answer

As long as these are only   lt   and      and not the double quote itself  characters and you re using them in context like  lt input value  this    gt   you re safe  while for  lt textarea gt this one lt  textarea gt  you would be vulnerable of course   That may simplify your situation  but for anything more use one of other posted solutions

User · Answer

Disable the page validation if you really need the special characters like   gt      lt   etc  Then ensure that when the user input is displayed  the data is HTML-encoded    There is a security vulnerability with the page validation  so it can be bypassed  Also the page validation shouldn t be solely relied on   See  http   web archive org web 20080913071637 http   www procheckup com 80 PDFs bypassing-dot-NET-ValidateRequest pdf

User · Answer

Disable the page validation if you really need the special characters like   gt      lt   etc  Then ensure that when the user input is displayed  the data is HTML-encoded    There is a security vulnerability with the page validation  so it can be bypassed  Also the page validation shouldn t be solely relied on   See  http   web archive org web 20080913071637 http   www procheckup com 80 PDFs bypassing-dot-NET-ValidateRequest pdf

User · Answer

In the web config file  within the  tags  insert the httpRuntime element with the attribute requestValidationMode  2 0   Also add the validateRequest  false  attribute in the pages element   Example    lt configuration gt     lt system web gt      lt httpRuntime requestValidationMode  2 0    gt     lt  system web gt     lt pages validateRequest  false  gt     lt  pages gt   lt  configuration gt

User · Answer

You can HTML encode text box content  but unfortunately that won t stop the exception from happening  In my experience there is no way around  and you have to disable page validation  By doing that you re saying   I ll be careful  I promise

User · Answer

You should use the Server HtmlEncode method to protect your site from dangerous input   More info here

User · Answer

You can HTML encode text box content  but unfortunately that won t stop the exception from happening  In my experience there is no way around  and you have to disable page validation  By doing that you re saying   I ll be careful  I promise

User · Answer

As indicated in my comment to Sel s answer  this is our extension to a custom request validator   public class SkippableRequestValidator   RequestValidator       protected override bool IsValidRequestString HttpContext context  string value  RequestValidationSource requestValidationSource  string collectionKey  out int validationFailureIndex                if  collectionKey    null  amp  amp  collectionKey EndsWith   NoValidation                          validationFailureIndex   0              return true                     return base IsValidRequestString context  value  requestValidationSource  collectionKey  out validationFailureIndex

User · Answer

You can use something like   var nvc   Request Unvalidated   Form    Later  nvc  yourKey   should work

User · Answer

I was getting this error too   In my case  a user entered an accented character    in a Role Name  regarding the ASP NET membership provider    I pass the role name to a method to grant Users to that role and the   ajax post request was failing miserably     I did this to solve the problem   Instead of  data    roleName    Model RoleName   users  users     Do this  data    roleName    Html Raw  Model RoleName    users  users      Html Raw did the trick   I was getting the Role name as HTML value roleName  Cadastro b amp  225 s   This value with HTML entity  amp  225  was being blocked by ASP NET MVC  Now I get the roleName parameter value the way it should be  roleName  Cadastro B  sico  and ASP NET MVC engine won t block the request anymore

User · Answer

A solution  I don t like to turn off the post validation  validateRequest  false    On the other hand it is not acceptable that the application crashes just because an innocent user happens to type  lt x or something    Therefore I wrote a client side javascript function  xssCheckValidates  that makes a preliminary check  This function is called when there is an attempt to post the form data  like this    lt form id  form1  runat  server  onsubmit  return xssCheckValidates     gt    The function is quite simple and could be improved but it is doing its job   Please notice that the purpose of this is not to protect the system from hacking  it is meant to protect the users from a bad experience  The request validation done at the server is still turned on  and that is  part of  the protection of the system  to the extent it is capable of doing that     The reason i say  part of  here is because I have heard that the built in request validation might not be enough  so other complementary means might be necessary to have full protection  But  again  the javascript function I present here has nothing to do with protecting the system  It is only meant to make sure the users will not have a bad experience   You can try it out here    x000D   x000D      function xssCheckValidates     x000D        var valid   true  x000D        var inp   document querySelectorAll  x000D             input not  disabled  not  readonly   not  type hidden      x000D              textarea not  disabled  not  readonly      x000D        for  var i   0  i  lt  inp length  i      x000D          if   inp i  readOnly    x000D            if  inp i  value indexOf   lt     gt  -1    x000D              valid   false  x000D              break  x000D              x000D            if  inp i  value indexOf   amp      gt  -1    x000D              valid   false  x000D              break  x000D              x000D            x000D          x000D        if  valid    x000D          return true  x000D          else   x000D          alert  In one or more of the text fields  you have typed r nthe character   lt   or the character sequence   amp     r n r nThis is unfortunately not allowed since r nit can be used in hacking attempts  r n r nPlease edit the field and try again     x000D          return false  x000D          x000D        x000D   lt form onsubmit  return xssCheckValidates      gt  x000D    Try to type  lt  or  amp    lt br  gt  x000D     lt input type  text    gt  lt br  gt  x000D     lt textarea gt  lt  textarea gt  x000D     lt input type  submit  value  Send    gt  x000D   lt  form gt  x000D   x000D   x000D

User · Answer

In ASP NET MVC  starting in version 3   you can add the AllowHtml attribute to a property on your model   It allows a request to include HTML markup during model binding by skipping request validation for the property    AllowHtml  public string Description   get  set

User · Answer

It seems no one has mentioned the below yet  but it fixes the issue for me   And before anyone says yeah it s Visual Basic    yuck    lt    Page Language  vb  AutoEventWireup  false  CodeBehind  Example aspx vb  Inherits  Example Example    ValidateRequest  false      gt    I don t know if there are any downsides  but for me this worked amazing

User · Answer

You can use something like   var nvc   Request Unvalidated   Form    Later  nvc  yourKey   should work

User · Answer

You can automatically HTML encode field in custom Model Binder  My solution some different  I put error in ModelState and display error message near the field  It s easy to modify this code for automatically encode    public class AppModelBinder   DefaultModelBinder               protected override object CreateModel ControllerContext controllerContext  ModelBindingContext bindingContext  Type modelType                        try                               return base CreateModel controllerContext  bindingContext  modelType                             catch  HttpRequestValidationException e                                HandleHttpRequestValidationException bindingContext  e                   return null     Encode here                                 protected override object GetPropertyValue ControllerContext controllerContext  ModelBindingContext bindingContext              PropertyDescriptor propertyDescriptor  IModelBinder propertyBinder                        try                               return base GetPropertyValue controllerContext  bindingContext  propertyDescriptor  propertyBinder                             catch  HttpRequestValidationException e                                HandleHttpRequestValidationException bindingContext  e                   return null     Encode here                                  protected void HandleHttpRequestValidationException ModelBindingContext bindingContext  HttpRequestValidationException ex                        var valueProviderCollection   bindingContext ValueProvider as ValueProviderCollection              if  valueProviderCollection    null                                ValueProviderResult valueProviderResult   valueProviderCollection GetValue bindingContext ModelName  skipValidation  true                   bindingContext ModelState SetModelValue bindingContext ModelName  valueProviderResult                              string errorMessage   string Format CultureInfo CurrentCulture    0  contains invalid symbols   lt    amp                         bindingContext ModelMetadata DisplayName                bindingContext ModelState AddModelError bindingContext ModelName  errorMessage                     In Application Start   ModelBinders Binders DefaultBinder   new AppModelBinder      Note that it works only for form fields  Dangerous value not passed to controller model  but stored in ModelState and can be redisplayed on form with error message    Dangerous chars in URL may be handled this way   private void Application Error object sender  EventArgs e        Exception exception   Server GetLastError        HttpContext httpContext   HttpContext Current       HttpException httpException   exception as HttpException      if  httpException    null                RouteData routeData   new RouteData            routeData Values Add  controller    Error            var httpCode   httpException GetHttpCode            switch  httpCode                        case  int HttpStatusCode BadRequest    400                     if  httpException Message Contains  Request Path                                          httpContext Response Clear                        RequestContext requestContext   new RequestContext new HttpContextWrapper Context   routeData                       requestContext RouteData Values  action     InvalidUrl                       requestContext RouteData Values  controller     Error                       IControllerFactory factory   ControllerBuilder Current GetControllerFactory                        IController controller   factory CreateController requestContext   Error                        controller Execute requestContext                       httpContext Server ClearError                        Response StatusCode    int HttpStatusCode BadRequest    400                                       break                      ErrorController     public class ErrorController   Controller       public ActionResult InvalidUrl              return View

User · Answer

I know this question is about form posting  but I would like to add some details for people who received this error on others circumstances  It could also occur on a handler used to implement a web service     Suppose your web client sends POST or PUT requests using ajax and sends either json or xml text or raw data  a file content  to your web service  Because your web service does not need to get any information from a Content-Type header  your JavaScript code did not set this header to your ajax request  But if you do not set this header on a POST PUT ajax request  Safari may add this header   Content-Type  application x-www-form-urlencoded   I observed that on Safari 6 on iPhone  but others Safari versions OS or Chrome may do the same  So when receiving this Content-Type header some part of  NET Framework assume the request body data structure corresponds to an html form posting while it does not and rose an HttpRequestValidationException exception  First thing to do is obviously to always set Content-Type header to anything but a form MIME type on a POST PUT ajax request even it is useless to your web service   I also discovered this detail  On these circumstances  the HttpRequestValidationException exception is rose when your code tries to access HttpRequest Params collection  But surprisingly  this exception is not rose when it accesses HttpRequest ServerVariables collection  This shows that while these two collections seem to be nearly identical  one accesses request data through security checks and the other one does not

User · Answer

I guess you could do it in a module  but that leaves open some questions  what if you want to save the input to a database  Suddenly because you re saving encoded data to the database you end up trusting input from it which is probably a bad idea  Ideally you store raw unencoded data in the database and the encode every time   Disabling the protection on a per page level and then encoding each time is a better option   Rather than using Server HtmlEncode you should look at the newer  more complete Anti-XSS library from the Microsoft ACE team

User · Answer

I think you are attacking it from the wrong angle by trying to encode all posted data  Note that a  quot  lt  quot  could also come from other outside sources  like a database field  a configuration  a file  a feed and so on  Furthermore   quot  lt  quot  is not inherently dangerous  It s only dangerous in a specific context  when writing strings that haven t been encoded to HTML output  because of XSS   In other contexts different sub-strings are dangerous  for example  if you write an user-provided URL into a link  the sub-string  quot javascript  quot  may be dangerous  The single quote character on the other hand is dangerous when interpolating strings in SQL queries  but perfectly safe if it is a part of a name submitted from a form or read from a database field  The bottom line is  you can t filter random input for dangerous characters  because any character may be dangerous under the right circumstances  You should encode at the point where some specific characters may become dangerous because they cross into a different sub-language where they have special meaning  When you write a string to HTML  you should encode characters that have special meaning in HTML  using Server HtmlEncode  If you pass a string to a dynamic SQL statement  you should encode different characters  or better  let the framework do it for you by using prepared statements or the like    When you are sure you HTML-encode everywhere you pass strings to HTML  then set ValidateRequest  quot false quot  in the  lt    Page       gt  directive in your  aspx file s   In  NET 4 you may need to do a little more  Sometimes it s necessary to also add  lt httpRuntime requestValidationMode  quot 2 0 quot    gt  to web config  reference

User · Answer

I was getting this error too   In my case  a user entered an accented character    in a Role Name  regarding the ASP NET membership provider    I pass the role name to a method to grant Users to that role and the   ajax post request was failing miserably     I did this to solve the problem   Instead of  data    roleName    Model RoleName   users  users     Do this  data    roleName    Html Raw  Model RoleName    users  users      Html Raw did the trick   I was getting the Role name as HTML value roleName  Cadastro b amp  225 s   This value with HTML entity  amp  225  was being blocked by ASP NET MVC  Now I get the roleName parameter value the way it should be  roleName  Cadastro B  sico  and ASP NET MVC engine won t block the request anymore

User · Answer

If you are on  NET 4 0 make sure you add this in your web config file inside the  lt system web gt  tags    lt httpRuntime requestValidationMode  2 0    gt      In  NET 2 0  request validation only applied to aspx requests  In  NET 4 0 this was expanded to include all requests  You can revert to only performing XSS validation when processing  aspx by specifying   requestValidationMode  2 0    You can disable request validate entirely by specifying   validateRequest  false

User · Answer

If you re just looking to tell your users that  lt  and   are not to be used BUT  you don t want the entire form processed posted back  and lose all the input  before-hand could you not simply put in a validator around the field to screen for those  and maybe other potentially dangerous  characters

User · Answer

I see there s a lot written about this   and I didn t see this mentioned  This has been available since  NET Framework 4 5 The ValidateRequestMode setting for a control is a great option  This way the other controls on the page are still protected  No web config changes needed   protected void Page Load object sender  EventArgs e          txtMachKey ValidateRequestMode   ValidateRequestMode Disabled

User · Answer

You can catch that error in Global asax   I still want to validate  but show an appropriate message    On the blog listed below  a sample like this was available         void Application Error object sender  EventArgs e                Exception ex   Server GetLastError             if  ex is HttpRequestValidationException                        Response Clear                Response StatusCode   200              Response Write    html                 Response End                      Redirecting to another page also seems like a reasonable response to the exception   http   www romsteady net blog 2007 06 how-to-catch-httprequestvalidationexcep html

User · Answer

The answer to this question is simple   var varname   Request Unvalidated  parameter name      This would disable validation for the particular request

User · Answer

Please bear in mind that some  NET controls will automatically HTML encode the output  For instance  setting the  Text property on a TextBox control will automatically encode it  That specifically means converting  lt  into  amp lt    gt  into  amp gt  and  amp  into  amp amp   So be wary of doing this     myTextBox Text   Server HtmlEncode myStringFromDatabase      Pseudo code   However  the  Text property for HyperLink  Literal and Label won t HTML encode things  so wrapping Server HtmlEncode    around anything being set on these properties is a must if you want to prevent  lt script gt  window location    http   www google com    lt  script gt  from being output into your page and subsequently executed   Do a little experimenting to see what gets encoded and what doesn t

User · Answer

There s a different solution to this error if you re using ASP NET MVC    ASP NET MVC     pages validateRequest false doesn   t work  Why is ValidateInput False  not working  ASP NET MVC RC1  VALIDATEINPUT  A POTENTIAL DANGEROUS REQUEST AND THE PITFALL   C  sample    HttpPost  ValidateInput false   public ActionResult Edit FormCollection collection                   Visual Basic sample    lt AcceptVerbs HttpVerbs Post   ValidateInput False  gt    Function Edit ByVal collection As FormCollection  As ActionResult         End Function

User · Answer

If you are on  NET 4 0 make sure you add this in your web config file inside the  lt system web gt  tags    lt httpRuntime requestValidationMode  2 0    gt      In  NET 2 0  request validation only applied to aspx requests  In  NET 4 0 this was expanded to include all requests  You can revert to only performing XSS validation when processing  aspx by specifying   requestValidationMode  2 0    You can disable request validate entirely by specifying   validateRequest  false

User · Answer

Try with      Server Encode   and      Server HtmlDecode     while sending and receiving

User · Answer

It seems no one has mentioned the below yet  but it fixes the issue for me   And before anyone says yeah it s Visual Basic    yuck    lt    Page Language  vb  AutoEventWireup  false  CodeBehind  Example aspx vb  Inherits  Example Example    ValidateRequest  false      gt    I don t know if there are any downsides  but for me this worked amazing

User · Answer

You can HTML encode text box content  but unfortunately that won t stop the exception from happening  In my experience there is no way around  and you have to disable page validation  By doing that you re saying   I ll be careful  I promise

User · Answer

I was getting this error too   In my case  a user entered an accented character    in a Role Name  regarding the ASP NET membership provider    I pass the role name to a method to grant Users to that role and the   ajax post request was failing miserably     I did this to solve the problem   Instead of  data    roleName    Model RoleName   users  users     Do this  data    roleName    Html Raw  Model RoleName    users  users      Html Raw did the trick   I was getting the Role name as HTML value roleName  Cadastro b amp  225 s   This value with HTML entity  amp  225  was being blocked by ASP NET MVC  Now I get the roleName parameter value the way it should be  roleName  Cadastro B  sico  and ASP NET MVC engine won t block the request anymore

User · Answer

Another solution is   protected void Application Start                 RequestValidator Current   new MyRequestValidator       public class MyRequestValidator  RequestValidator       protected override bool IsValidRequestString HttpContext context  string value  RequestValidationSource requestValidationSource  string collectionKey  out int validationFailureIndex                bool result   base IsValidRequestString context  value  requestValidationSource  collectionKey  out validationFailureIndex            if   result                           Write your validation here             if  requestValidationSource    RequestValidationSource Form                    requestValidationSource    RequestValidationSource QueryString                   return true     Suppress error message                   return result

User · Answer

Cause  ASP NET by default validates all input controls for potentially unsafe contents that can lead to cross-site scripting  XSS  and SQL injections  Thus it disallows such content by throwing the above exception  By default it is recommended to allow this check to happen on each postback   Solution  On many occasions you need to submit HTML content to your page through Rich TextBoxes or Rich Text Editors  In that case you can avoid this exception by setting the ValidateRequest tag in the  Page directive to false    lt    Page Language  C   AutoEventWireup  true  ValidateRequest    false    gt    This will disable the validation of requests for the page you have set the ValidateRequest flag to false  If you want to disable this  check throughout your web application  you   ll need to set it to false in your web config  lt system web  section   lt pages validateRequest   false    gt    For  NET 4 0 or higher frameworks you will need to also add the following line in the  lt system web  section to make the above work    lt httpRuntime requestValidationMode    2 0    gt    That   s it  I hope this helps you in getting rid of the above issue   Reference by  ASP Net Error  A potentially dangerous Request Form value was detected from the client

User · Answer

In ASP NET  you can catch the exception and do something about it  such as displaying a friendly message or redirect to another page    Also there is a possibility that you can handle the validation by yourself     Display friendly message   protected override void OnError EventArgs e        base OnError e       var ex   Server GetLastError   GetBaseException        if  ex is System Web HttpRequestValidationException                Response Clear            Response Write  Invalid characters         Response Write HttpUtility HtmlEncode ex Message            Response StatusCode   200          Response End

User · Answer

Disable the page validation if you really need the special characters like   gt      lt   etc  Then ensure that when the user input is displayed  the data is HTML-encoded    There is a security vulnerability with the page validation  so it can be bypassed  Also the page validation shouldn t be solely relied on   See  http   web archive org web 20080913071637 http   www procheckup com 80 PDFs bypassing-dot-NET-ValidateRequest pdf

User · Answer

You can HTML encode text box content  but unfortunately that won t stop the exception from happening  In my experience there is no way around  and you have to disable page validation  By doing that you re saying   I ll be careful  I promise

User · Answer

If you re using framework 4 0 then the entry in the web config   lt pages validateRequest  false        lt configuration gt       lt system web gt           lt pages validateRequest  false    gt       lt  system web gt   lt  configuration gt    If you re using framework 4 5 then the entry in the web config  requestValidationMode  2 0     lt system web gt       lt compilation debug  true  targetFramework  4 5    gt       lt httpRuntime targetFramework  4 5  requestValidationMode  2 0   gt   lt  system web gt    If you want for only single page then  In you aspx file you should put the first line as this     lt    Page EnableEventValidation  false    gt    if you already have something like   lt    Page so just add the rest    EnableEventValidation  false      I recommend not to do it

User · Answer

For those who are not using model binding  who are extracting each parameter from the Request Form  who are sure the input text will cause no harm  there is another way  Not a great solution but it will do the job     From client side  encode it as uri then send it  e g     encodeURIComponent     MsgBody   val         From server side  accept it and decode it as uri  e g     string temp    string IsNullOrEmpty HttpContext Current Request Form  MsgBody      System Web HttpUtility UrlDecode HttpContext Current Request Form  MsgBody       null      or    string temp    string IsNullOrEmpty HttpContext Current Request Form  MsgBody      System Uri UnescapeDataString HttpContext Current Request Form  MsgBody       null     please look for the differences between UrlDecode and UnescapeDataString

User · Answer

I think you are attacking it from the wrong angle by trying to encode all posted data  Note that a  quot  lt  quot  could also come from other outside sources  like a database field  a configuration  a file  a feed and so on  Furthermore   quot  lt  quot  is not inherently dangerous  It s only dangerous in a specific context  when writing strings that haven t been encoded to HTML output  because of XSS   In other contexts different sub-strings are dangerous  for example  if you write an user-provided URL into a link  the sub-string  quot javascript  quot  may be dangerous  The single quote character on the other hand is dangerous when interpolating strings in SQL queries  but perfectly safe if it is a part of a name submitted from a form or read from a database field  The bottom line is  you can t filter random input for dangerous characters  because any character may be dangerous under the right circumstances  You should encode at the point where some specific characters may become dangerous because they cross into a different sub-language where they have special meaning  When you write a string to HTML  you should encode characters that have special meaning in HTML  using Server HtmlEncode  If you pass a string to a dynamic SQL statement  you should encode different characters  or better  let the framework do it for you by using prepared statements or the like    When you are sure you HTML-encode everywhere you pass strings to HTML  then set ValidateRequest  quot false quot  in the  lt    Page       gt  directive in your  aspx file s   In  NET 4 you may need to do a little more  Sometimes it s necessary to also add  lt httpRuntime requestValidationMode  quot 2 0 quot    gt  to web config  reference

User · Answer

I guess you could do it in a module  but that leaves open some questions  what if you want to save the input to a database  Suddenly because you re saving encoded data to the database you end up trusting input from it which is probably a bad idea  Ideally you store raw unencoded data in the database and the encode every time   Disabling the protection on a per page level and then encoding each time is a better option   Rather than using Server HtmlEncode you should look at the newer  more complete Anti-XSS library from the Microsoft ACE team

User · Answer

A potentially dangerous Request Form value was detected from the client     1  set httpRuntime requestValidationMode  2 0  requestPathInvalidCharacters   amp lt   amp gt     in web config file  2   set validateRequest  false  in side pages tag in web config file   lt system web gt       lt httpRuntime requestValidationMode  2 0  requestPathInvalidCharacters   amp lt   amp gt      gt    lt pages controlRenderingCompatibilityVersion  3 5  clientIDMode  AutoID  validateRequest  false   gt   lt system web gt

User · Answer

Try with      Server Encode   and      Server HtmlDecode     while sending and receiving

User · Answer

The answer to this question is simple   var varname   Request Unvalidated  parameter name      This would disable validation for the particular request

User · Answer

If you don t want to disable ValidateRequest you need to implement a JavaScript function in order to avoid the exception  It is not the best option  but it works   function AlphanumericValidation evt        var charCode    evt charCode    evt charCode     evt keyCode    evt keyCode             evt which    evt which   0            User type Enter key     if  charCode    13                   Do something  set controls focus or do anything         return false                User can not type non alphanumeric characters     if    charCode  lt   48                                   charCode  gt  122                                    charCode  gt  57   amp  amp   charCode  lt  65                 charCode  gt  90   amp  amp   charCode  lt  97                             Show a message or do something         return false            Then in code behind  on the PageLoad event  add the attribute to your control with the next code   Me TextBox1 Attributes Add  OnKeyPress    return AlphanumericValidation event

User · Answer

In the web config file  within the  tags  insert the httpRuntime element with the attribute requestValidationMode  2 0   Also add the validateRequest  false  attribute in the pages element   Example    lt configuration gt     lt system web gt      lt httpRuntime requestValidationMode  2 0    gt     lt  system web gt     lt pages validateRequest  false  gt     lt  pages gt   lt  configuration gt

User · Answer

Use   lt httpRuntime requestValidationMode  2 0    gt    in your web config  keeping any attributes you already have on that element  if it s already there   ASP NET4 0 ignores ValidateRequest otherwise   And  of course  do make sure that you take necessary measures to protect against genuinely dangerous requests  now that it s not being done for you   Edit  A great way of doing this is to create your own class derived from RequestValidator  and using the 4 0 behaviour  but with that as the class that does the checking

User · Answer

The previous answers are great  but nobody said how to exclude a single field from being validated for HTML JavaScript injections  I don t know about previous versions  but in MVC3 Beta you can do this    HttpPost  ValidateInput true  Exclude    YourFieldName    public virtual ActionResult Edit int id  FormCollection collection                This still validates all the fields except for the excluded one  The nice thing about this is that your validation attributes still validate the field  but you just don t get the  A potentially dangerous Request Form value was detected from the client  exceptions   I ve used this for validating a regular expression  I ve made my own ValidationAttribute to see if the regular expression is valid or not  As regular expressions can contain something that looks like a script I applied the above code - the regular expression is still being checked if it s valid or not  but not if it contains scripts or HTML

User · Answer

Please bear in mind that some  NET controls will automatically HTML encode the output  For instance  setting the  Text property on a TextBox control will automatically encode it  That specifically means converting  lt  into  amp lt    gt  into  amp gt  and  amp  into  amp amp   So be wary of doing this     myTextBox Text   Server HtmlEncode myStringFromDatabase      Pseudo code   However  the  Text property for HyperLink  Literal and Label won t HTML encode things  so wrapping Server HtmlEncode    around anything being set on these properties is a must if you want to prevent  lt script gt  window location    http   www google com    lt  script gt  from being output into your page and subsequently executed   Do a little experimenting to see what gets encoded and what doesn t

User · Answer

Please bear in mind that some  NET controls will automatically HTML encode the output  For instance  setting the  Text property on a TextBox control will automatically encode it  That specifically means converting  lt  into  amp lt    gt  into  amp gt  and  amp  into  amp amp   So be wary of doing this     myTextBox Text   Server HtmlEncode myStringFromDatabase      Pseudo code   However  the  Text property for HyperLink  Literal and Label won t HTML encode things  so wrapping Server HtmlEncode    around anything being set on these properties is a must if you want to prevent  lt script gt  window location    http   www google com    lt  script gt  from being output into your page and subsequently executed   Do a little experimenting to see what gets encoded and what doesn t

User · Answer

In ASP NET MVC you need to set requestValidationMode  2 0  and validateRequest  false  in web config  and apply a ValidateInput attribute to your controller action    lt httpRuntime requestValidationMode  2 0   gt    lt configuration gt       lt system web gt           lt pages validateRequest  false    gt       lt  system web gt   lt  configuration gt    and   Post  ValidateInput false   public ActionResult Edit string message

User · Answer

Use the Server HtmlEncode  yourtext

User · Answer

Last but not least  please note ASP NET Data Binding controls automatically encode values during data binding  This changes the default behavior of all ASP NET controls  TextBox  Label etc  contained in the ItemTemplate  The following sample demonstrates  ValidateRequest is set to false    aspx   lt    Page Language  C   ValidateRequest  false  AutoEventWireup  true  CodeBehind  Default aspx cs  Inherits  WebApplication17  Default    gt   lt html gt   lt body gt       lt form runat  server  gt           lt asp FormView ID  FormView1  runat  server  ItemType  WebApplication17 S  SelectMethod  FormView1 GetItem  gt               lt ItemTemplate gt                   lt asp TextBox ID  TextBox1  runat  server  gt  lt  asp TextBox gt                   lt asp Button ID  Button1  runat  server  Text  Button  OnClick  Button1 Click    gt                   lt asp Label ID  Label1  runat  server  Text   lt     Item Text   gt   gt  lt  asp Label gt                   lt asp TextBox ID  TextBox2  runat  server  Text   lt     Item Text   gt   gt  lt  asp TextBox gt               lt  ItemTemplate gt           lt  asp FormView gt       lt  form gt         code behind  public partial class  Default   Page       S s   new S         protected void Button1 Click object sender  EventArgs e                s Text     TextBox FormView1 FindControl  TextBox1    Text          FormView1 DataBind               public S FormView1 GetItem int  id                return s           public class S       public string Text   get  set         Case submit value   amp  39    Label1 Text value   amp  39   TextBox2 Text value   amp amp  39    Case submit value   lt script gt alert  attack     lt  script gt    Label1 Text value   lt script gt alert  attack     lt  script gt   TextBox2 Text value   amp lt script amp gt alert  amp  39 attack  amp  39    amp lt  script amp gt

User · Answer

The previous answers are great  but nobody said how to exclude a single field from being validated for HTML JavaScript injections  I don t know about previous versions  but in MVC3 Beta you can do this    HttpPost  ValidateInput true  Exclude    YourFieldName    public virtual ActionResult Edit int id  FormCollection collection                This still validates all the fields except for the excluded one  The nice thing about this is that your validation attributes still validate the field  but you just don t get the  A potentially dangerous Request Form value was detected from the client  exceptions   I ve used this for validating a regular expression  I ve made my own ValidationAttribute to see if the regular expression is valid or not  As regular expressions can contain something that looks like a script I applied the above code - the regular expression is still being checked if it s valid or not  but not if it contains scripts or HTML

User · Answer

As long as these are only   lt   and      and not the double quote itself  characters and you re using them in context like  lt input value  this    gt   you re safe  while for  lt textarea gt this one lt  textarea gt  you would be vulnerable of course   That may simplify your situation  but for anything more use one of other posted solutions

User · Answer

I think you are attacking it from the wrong angle by trying to encode all posted data  Note that a  quot  lt  quot  could also come from other outside sources  like a database field  a configuration  a file  a feed and so on  Furthermore   quot  lt  quot  is not inherently dangerous  It s only dangerous in a specific context  when writing strings that haven t been encoded to HTML output  because of XSS   In other contexts different sub-strings are dangerous  for example  if you write an user-provided URL into a link  the sub-string  quot javascript  quot  may be dangerous  The single quote character on the other hand is dangerous when interpolating strings in SQL queries  but perfectly safe if it is a part of a name submitted from a form or read from a database field  The bottom line is  you can t filter random input for dangerous characters  because any character may be dangerous under the right circumstances  You should encode at the point where some specific characters may become dangerous because they cross into a different sub-language where they have special meaning  When you write a string to HTML  you should encode characters that have special meaning in HTML  using Server HtmlEncode  If you pass a string to a dynamic SQL statement  you should encode different characters  or better  let the framework do it for you by using prepared statements or the like    When you are sure you HTML-encode everywhere you pass strings to HTML  then set ValidateRequest  quot false quot  in the  lt    Page       gt  directive in your  aspx file s   In  NET 4 you may need to do a little more  Sometimes it s necessary to also add  lt httpRuntime requestValidationMode  quot 2 0 quot    gt  to web config  reference

User · Answer

For those of us still stuck on webforms I found the following solution that enables you to only disable the validation on one field   I would hate to disable it for the whole page    VB NET   Public Class UnvalidatedTextBox     Inherits TextBox     Protected Overrides Function LoadPostData postDataKey As String  postCollection As NameValueCollection  As Boolean         Return MyBase LoadPostData postDataKey  System Web HttpContext Current Request Unvalidated Form      End Function End Class   C    public class UnvalidatedTextBox   TextBox       protected override bool LoadPostData string postDataKey  NameValueCollection postCollection                return base LoadPostData postDataKey  System Web HttpContext Current Request Unvalidated Form             Now just use  lt prefix UnvalidatedTextBox id  test  runat  server    gt  instead of  lt asp TextBox  and it should allow all characters  this is perfect for password fields

User · Answer

In ASP NET MVC  starting in version 3   you can add the AllowHtml attribute to a property on your model   It allows a request to include HTML markup during model binding by skipping request validation for the property    AllowHtml  public string Description   get  set

User · Answer

Use the Server HtmlEncode  yourtext

User · Answer

In the web config file  within the  tags  insert the httpRuntime element with the attribute requestValidationMode  2 0   Also add the validateRequest  false  attribute in the pages element   Example    lt configuration gt     lt system web gt      lt httpRuntime requestValidationMode  2 0    gt     lt  system web gt     lt pages validateRequest  false  gt     lt  pages gt   lt  configuration gt

User · Answer

Another solution is   protected void Application Start                 RequestValidator Current   new MyRequestValidator       public class MyRequestValidator  RequestValidator       protected override bool IsValidRequestString HttpContext context  string value  RequestValidationSource requestValidationSource  string collectionKey  out int validationFailureIndex                bool result   base IsValidRequestString context  value  requestValidationSource  collectionKey  out validationFailureIndex            if   result                           Write your validation here             if  requestValidationSource    RequestValidationSource Form                    requestValidationSource    RequestValidationSource QueryString                   return true     Suppress error message                   return result

User · Answer

Well  people are talking about Asp net 4 0 only    I guess we need to address other versions too  Today  I had the same problem when I replaced my AjaxToolkit editor with TinyMCE and with the postback I found the same issue     A potentially dangerous Request Form value was detected from the client     So I used this line inside my webconfig and it worked for me     lt system web gt       lt pages validateRequest  false    gt   lt  system web gt    It should work across Asp net 2 0 to 3 5    UPDATE  Even works upto  net 4 5   UPDATE  You can also try to validate the request on page level rather whole website  Just wanted to let the readers to choose the best way  Thanks DVD for pointing this out

User · Answer

Disable the page validation if you really need the special characters like   gt      lt   etc  Then ensure that when the user input is displayed  the data is HTML-encoded    There is a security vulnerability with the page validation  so it can be bypassed  Also the page validation shouldn t be solely relied on   See  http   web archive org web 20080913071637 http   www procheckup com 80 PDFs bypassing-dot-NET-ValidateRequest pdf

User · Answer

If you don t want to disable ValidateRequest you need to implement a JavaScript function in order to avoid the exception  It is not the best option  but it works   function AlphanumericValidation evt        var charCode    evt charCode    evt charCode     evt keyCode    evt keyCode             evt which    evt which   0            User type Enter key     if  charCode    13                   Do something  set controls focus or do anything         return false                User can not type non alphanumeric characters     if    charCode  lt   48                                   charCode  gt  122                                    charCode  gt  57   amp  amp   charCode  lt  65                 charCode  gt  90   amp  amp   charCode  lt  97                             Show a message or do something         return false            Then in code behind  on the PageLoad event  add the attribute to your control with the next code   Me TextBox1 Attributes Add  OnKeyPress    return AlphanumericValidation event

User · Answer

If you don t want to disable ValidateRequest you need to implement a JavaScript function in order to avoid the exception  It is not the best option  but it works   function AlphanumericValidation evt        var charCode    evt charCode    evt charCode     evt keyCode    evt keyCode             evt which    evt which   0            User type Enter key     if  charCode    13                   Do something  set controls focus or do anything         return false                User can not type non alphanumeric characters     if    charCode  lt   48                                   charCode  gt  122                                    charCode  gt  57   amp  amp   charCode  lt  65                 charCode  gt  90   amp  amp   charCode  lt  97                             Show a message or do something         return false            Then in code behind  on the PageLoad event  add the attribute to your control with the next code   Me TextBox1 Attributes Add  OnKeyPress    return AlphanumericValidation event

User · Answer

The previous answers are great  but nobody said how to exclude a single field from being validated for HTML JavaScript injections  I don t know about previous versions  but in MVC3 Beta you can do this    HttpPost  ValidateInput true  Exclude    YourFieldName    public virtual ActionResult Edit int id  FormCollection collection                This still validates all the fields except for the excluded one  The nice thing about this is that your validation attributes still validate the field  but you just don t get the  A potentially dangerous Request Form value was detected from the client  exceptions   I ve used this for validating a regular expression  I ve made my own ValidationAttribute to see if the regular expression is valid or not  As regular expressions can contain something that looks like a script I applied the above code - the regular expression is still being checked if it s valid or not  but not if it contains scripts or HTML

User · Answer

I guess you could do it in a module  but that leaves open some questions  what if you want to save the input to a database  Suddenly because you re saving encoded data to the database you end up trusting input from it which is probably a bad idea  Ideally you store raw unencoded data in the database and the encode every time   Disabling the protection on a per page level and then encoding each time is a better option   Rather than using Server HtmlEncode you should look at the newer  more complete Anti-XSS library from the Microsoft ACE team

User · Answer

It seems no one has mentioned the below yet  but it fixes the issue for me   And before anyone says yeah it s Visual Basic    yuck    lt    Page Language  vb  AutoEventWireup  false  CodeBehind  Example aspx vb  Inherits  Example Example    ValidateRequest  false      gt    I don t know if there are any downsides  but for me this worked amazing

User · Answer

None of the suggestions worked for me   I did not want to turn off this feature for the whole website anyhow because 99  time I do not want my users placing HTML on web forms   I just created my own work around method since I m the only one using this particular application   I convert the input to HTML in the code behind and insert it into my database

User · Answer

For MVC  ignore input validation by adding        ValidateInput false     above each Action in the Controller

User · Answer

If you re using framework 4 0 then the entry in the web config   lt pages validateRequest  false        lt configuration gt       lt system web gt           lt pages validateRequest  false    gt       lt  system web gt   lt  configuration gt    If you re using framework 4 5 then the entry in the web config  requestValidationMode  2 0     lt system web gt       lt compilation debug  true  targetFramework  4 5    gt       lt httpRuntime targetFramework  4 5  requestValidationMode  2 0   gt   lt  system web gt    If you want for only single page then  In you aspx file you should put the first line as this     lt    Page EnableEventValidation  false    gt    if you already have something like   lt    Page so just add the rest    EnableEventValidation  false      I recommend not to do it

User · Answer

You can automatically HTML encode field in custom Model Binder  My solution some different  I put error in ModelState and display error message near the field  It s easy to modify this code for automatically encode    public class AppModelBinder   DefaultModelBinder               protected override object CreateModel ControllerContext controllerContext  ModelBindingContext bindingContext  Type modelType                        try                               return base CreateModel controllerContext  bindingContext  modelType                             catch  HttpRequestValidationException e                                HandleHttpRequestValidationException bindingContext  e                   return null     Encode here                                 protected override object GetPropertyValue ControllerContext controllerContext  ModelBindingContext bindingContext              PropertyDescriptor propertyDescriptor  IModelBinder propertyBinder                        try                               return base GetPropertyValue controllerContext  bindingContext  propertyDescriptor  propertyBinder                             catch  HttpRequestValidationException e                                HandleHttpRequestValidationException bindingContext  e                   return null     Encode here                                  protected void HandleHttpRequestValidationException ModelBindingContext bindingContext  HttpRequestValidationException ex                        var valueProviderCollection   bindingContext ValueProvider as ValueProviderCollection              if  valueProviderCollection    null                                ValueProviderResult valueProviderResult   valueProviderCollection GetValue bindingContext ModelName  skipValidation  true                   bindingContext ModelState SetModelValue bindingContext ModelName  valueProviderResult                              string errorMessage   string Format CultureInfo CurrentCulture    0  contains invalid symbols   lt    amp                         bindingContext ModelMetadata DisplayName                bindingContext ModelState AddModelError bindingContext ModelName  errorMessage                     In Application Start   ModelBinders Binders DefaultBinder   new AppModelBinder      Note that it works only for form fields  Dangerous value not passed to controller model  but stored in ModelState and can be redisplayed on form with error message    Dangerous chars in URL may be handled this way   private void Application Error object sender  EventArgs e        Exception exception   Server GetLastError        HttpContext httpContext   HttpContext Current       HttpException httpException   exception as HttpException      if  httpException    null                RouteData routeData   new RouteData            routeData Values Add  controller    Error            var httpCode   httpException GetHttpCode            switch  httpCode                        case  int HttpStatusCode BadRequest    400                     if  httpException Message Contains  Request Path                                          httpContext Response Clear                        RequestContext requestContext   new RequestContext new HttpContextWrapper Context   routeData                       requestContext RouteData Values  action     InvalidUrl                       requestContext RouteData Values  controller     Error                       IControllerFactory factory   ControllerBuilder Current GetControllerFactory                        IController controller   factory CreateController requestContext   Error                        controller Execute requestContext                       httpContext Server ClearError                        Response StatusCode    int HttpStatusCode BadRequest    400                                       break                      ErrorController     public class ErrorController   Controller       public ActionResult InvalidUrl              return View

[c#] A potentially dangerous Request.Form value was detected from the client

Examples related to c#

Examples related to jquery

Examples related to asp.net

Examples related to architecture

Examples related to postback