<httpRuntime requestValidationMode="2.0" /> doesn't work (using IIS 6.0)

Question

Hi

I'm getting errors with an application on our test web server, which has .NET 4.0 installed, when I input HTML into a form. I get the usual errors of:

A potentially dangerous Request.Form value was detected from the client

This is being caused by the change in .NET 4.0 that disables switching off automatic validation for HTML input.

I can fix this on my local development machine by adding the directive to the section of my root web.config, and .NET then honours the directive that's in the same root web.config. Strangely, I needed to restart IIS on my local machine (which is version 5.1) for this change to work.

When I deploy the root web.config to our test server however, I'm still getting the validation errors. I've tried using run > iisreset, stopping and starting IIS (which is version 6.0 on the test server), and I've even restarted the server to fully clear out .NET. My application is definitely picking up the new root web.config (I've tested this), however the directive seems to just be ignored.

My application is configured as a .NET 4.0 application on both my local machine and on the test server. I've tried rebuilding the application and redeploying it to the test web server. Can anyone suggest what I need to do to get this working?

Thanks in advance, Chris

Answer 1

Are you sure you are running your app under an app pool under 4.0? Or are you perchance running it in a virtual application/directory that is a child to a 2.0/3.5 app?

Answer 2

Hi Ted

Many thanks for the reply - any different ideas are helpful. I've checked my local and test server configurations, and they look pretty similar. On the test server (which is giving the problem), the application runs under it's own app pool, however I can't see any settings on the pool itself that relate to the .NET version. The main 'Web Sites' folder in IIS is configured to use .NET 4.0 (right-click > properties > 'ASP.NET tab > ASP.NET version is showing 4.0.30319), and this is the same for the website under this folder that the app is running under, and for the actual virtual directory for the app. Do you have any other idea of what could be causing this?

Thanks again, Chris

Answer 3

On our test server running IIS 6.0, adding the to the root web.config (to try to make the entry in the same root web.config take effect when running under the .NET 4.0 framework), doesn't work. If these entries are added to the web.config for an individual application, and the application is converted to .NET 4.0, then it works and automatic validation of HTML input is switched off. The directory and all parent directories of the application need to be configured as .NET 4.0.