views:

190

answers:

1

I have a client that claims to get the server error "A potentially dangerous Request.Form value was detected from the client"

...and this is likely to be that html is entered and something I need to fix a better way of managing than validateRequest=true.

http://www.aspcode.net/A-potentially-dangerous-RequestForm-value-was-detected-from-the-client.aspx

But my client claims to have entered pure text and no html. What are the validation rules for an error? Only <>? Is there any other charactes I need to look out for?

/Niels

+2  A: 

The trigger characters for validate request filtering are less-than and ampersand.

More details here: http://keepitlocked.net/archive/2007/10/30/asp-net-validaterequest-and-the-html-attribute-based-cross-site-scripting.aspx

RickNZ