tags:

views:

174

answers:

1
+2  Q: 

A potentially dangerous Request.Form value was detected from the client

Hi

I have one asp.net application, which has some problems while i am entering the special characters such as ": &#, " in the search box. If i enter this text in search box, i got the exception like this.

A potentially dangerous Request.Form value was detected from the client (txtValue=": &#, ").

then i searched on the net, i got one general solution for this that to set the validaterequest to false. But no changes has been made on my application. Please help me for solving this issue. Any response that would be appreciated.

+2  A: 

Add a web.config containing

<system.web>
    <pages validateRequest="false" />
</system.web>

to the directory with the page that has the form in question.

See http://www.asp.net/learn/whitepapers/request-validation for a complete description.

In case you use asp.net 4.0, you may try 

<httpRuntime requestValidationMode="2.0" />

See also

marapet  2010-06-02 06:10:33
I tried this method too.. But no change
Dilse Naaz  2010-06-02 06:11:21
Hm, works in all my web applications. Do you use .net 2.0 or above? Which OS?
marapet  2010-06-02 06:17:21
.net 3.5 and OS is server 2003 IE8
Dilse Naaz  2010-06-02 06:38:05
Sorry, works for me in the same environnement. I'd try to reproduce this behavior on a clean web site in order to exclude other components and web.config settings.
marapet  2010-06-02 07:12:42
If you need to set ValidateRequest="false", you should do it on a page-by-page basis in the <%@ Page %> directive; otherwise you're potentially opening a security hole in your whole application.
PhilPursglove  2010-06-02 08:17:52
@PhilPursglove I agree that it is best practice to do by a page-by-page basis - unless you know what you are doing. ValidateRequest=true is a security measure for web applications which are not properly coded. From the above linked page on www.asp.net: "This request validation feature can be disabled when the application has been designed to safely process HTML data." And of course we do exactly that, don't we?! I usually do it on a directory basis. Special care is to be taken if you use 3rd party components that rely on that request validation (but you shouldn't use those anyway...).
marapet  2010-06-02 08:55:22

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?