views:

174

answers:

1

Hi

I have one asp.net application, which has some problems while i am entering the special characters such as ": &#, " in the search box. If i enter this text in search box, i got the exception like this.

A potentially dangerous Request.Form value was detected from the client (txtValue=": &#, ").

then i searched on the net, i got one general solution for this that to set the validaterequest to false. But no changes has been made on my application. Please help me for solving this issue. Any response that would be appreciated.

+2  A: 

Add a web.config containing

<system.web>
    <pages validateRequest="false" />
</system.web>

to the directory with the page that has the form in question.

See http://www.asp.net/learn/whitepapers/request-validation for a complete description.

In case you use asp.net 4.0, you may try

<httpRuntime requestValidationMode="2.0" />

See also

marapet
I tried this method too.. But no change
Dilse Naaz
Hm, works in all my web applications. Do you use .net 2.0 or above? Which OS?
marapet
.net 3.5 and OS is server 2003 IE8
Dilse Naaz
Sorry, works for me in the same environnement. I'd try to reproduce this behavior on a clean web site in order to exclude other components and web.config settings.
marapet
If you need to set ValidateRequest="false", you should do it on a page-by-page basis in the <%@ Page %> directive; otherwise you're potentially opening a security hole in your whole application.
PhilPursglove
@PhilPursglove I agree that it is best practice to do by a page-by-page basis - unless you know what you are doing. ValidateRequest=true is a security measure for web applications which are not properly coded. From the above linked page on www.asp.net: "This request validation feature can be disabled when the application has been designed to safely process HTML data." And of course we do exactly that, don't we?! I usually do it on a directory basis. Special care is to be taken if you use 3rd party components that rely on that request validation (but you shouldn't use those anyway...).
marapet