ASP.NET - ..A potentially dangerous Request.Form value was detected from the cli

Asked By shah zeb on 20-Dec-11 11:31 PM
Hi,
I am getting the above error.
i read a lot of articles but not gains.
It is suggested on most site that "Validaterequest = false"
 Some suggest to set the

<

httpRuntime requestValidationMode="2.0" />


Some have suggest to

controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID">
 Alot of things like this. but no gains.
i have also tried the server.htmlencode.

I am using iis 7.5 and .net frame work 4.0.

Can some  body suggest a good solution.
Regards,
sz
 

Riley K replied to shah zeb on 20-Dec-11 11:39 PM


Just try this per page

<%@ Page ... ValidateRequest="false" %>



Regards
Jitendra Faye replied to shah zeb on 20-Dec-11 11:43 PM
There are following solution for this-

1 add ValidateRequest="false" to your page directive-

like this-

<%@ Page Language="vb" AutoEventWireup="false" Codebehind="MyForm.aspx.vb" Inherits="Proj.MyForm" ValidateRequest="false"%>

2. Encode your text

Unless you actually need users to be able to enter HTML you must convert the string to its HTML encoding equivalent - basically this means that certain characters (like "<") are converted to codes (so "<" is converted to "&lt;", etc). To perform this conversion use HttpUtility.HtmlEncode, for example:


MyLabel.Text = HttpUtility.HtmlEncode(MyTextBox.Text)

Riley K replied to shah zeb on 20-Dec-11 11:43 PM


If you want in the web.config set like this

<configuration>
  <configuration>
  <system.web>
    <pages validateRequest="false" />
  </system.web>
</configuration>

Regards
Scott Depriest replied to Riley K on 21-Dec-11 01:23 AM
Thanks for the share I had same problem also.
Anoop S replied to shah zeb on 21-Dec-11 01:40 AM
A nonalphanumeric string might be misconstrued by the ASP.NET runtime as a possible script attack. Better yet, you can use the "validateRequest = false" in the page directive
WebForms – Per Page

This is a matter of adding the ValidateRequest property to the page directive per page:

<%@ Page Language="c#" … ValidateRequest="false"%>
WebForms -Globally

To turn off validation (which is not recommended unless you need to and know the consequences) is doen by editing the Web.config file’s pages element and adding the validateRequest attribute as shown below:

<system.web>
  :
  <pages validateRequest="false" />
  :

BUT use HttpUtility.HtmlEncode() to properly encode your strings to a "safe" string version.
See the following link

http://msdn.microsoft.com/en-us/library/w3te6wfz.aspx%20