Are conditions for raising "potentially dangerous Request.Form value" errors dependent on .NET configuration and version?

Question

I'm testing a Tiny_MCE plugin for BlogEngine.NET extension I wrote earlier and I keep receiving the following error message whenever I use my own extension or the extremely popular SyntaxHighlighter extension which both have similar behaviors and both implement Tiny_MCE plugins:

Url : 'http://localhost/admin/Pages/Add_entry.aspx'

Raw Url : /admin/Pages/Add_entry.aspx

Message : A potentially dangerous Request.Form value was detected from the client (ctl00$cphAdmin$txtContent$TinyMCE1$txtContent="

Source : System.WebStackTrace : at System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) at System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, RequestValidationSource requestCollection) at System.Web.HttpRequest.get_Form() at System.Web.HttpRequest.get_Item(String key) at BlogEngine.Core.Web.HttpModules.CompressionModule.context_PostReleaseRequestState(Object sender, EventArgs e) in D:\Projects\Be-1610\BlogEngine\DotNetSlave.BusinessLogic\Web\HttpModules\CompressionModule.cs:line 62 at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)TargetSite : Void ValidateString(System.String, System.String, System.Web.Util.RequestValidationSource)

My question is thus: although I receive this error on my local environment (IIS 7.5 ASP.NET 4.0 Integrated App Pool) I receive no error whatsoever on my live environment (IIS 7.5 ASP.NET 3.5 SP1/ 3.0 / 2.0.) Additionally whenever I test the extension using debug mode in Visual Studio 2010 and run the site off of a separate instance I don't receive this error.

I'm almost certain that the fact that this issue only occurs on my localhost IIS instance indicates that it's a configuration issue or a behavior specific to ASP.NET 4.0, but I don't know what exactly. Do any of you know what might be causing this?

Answer 1

It's telling you that a control (such as a text input) is returning something that looks like HTML or javascript, and that it's not going to assume you're sanitizing your inputs.

Of course, since you are being paranoid about your inputs (you are, aren't you?) you can turn that warning off.

How to turn it off for that page:

<%@ Page Language="vb" ValidateRequest="false" [etc]

To turn it off for the whole site, put this in web.config:

<system.web>
    <pages validateRequest="false" />
    [etc.]

Answer 2

TinyMCE I believe has a way to encode the content that it submits to the server. Check that out and this message will go away. Because what @egrunin said is correct.

Answer 3

It is basically because , user might have posted some data in html tag form or tiny-mce is posting data in html forms. Try looking for properties that will return plain text from the editor. Also you can try above if it solves your issue.