A potentially dangerous Request.Form value was detected from the client

Question

I have this issue. I have tried everything. ValidateRequest="false".. and decoding and encoding html.. etc. etc..

What I need is a popup box (so im using ModalPopupExtender) to present to a user where people can type in xml settings and click ok/cancel button to close the popup and save.

However i keep on getting this error "A potentially dangerous Request.Form value was detected from the client"..

Here is my test code below (quick example of my scenario and error)..

<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="WebForm1.aspx.cs" Inherits="WebApplication1.WebForm1"
    ValidateRequest="false" %>

<%@ Register Assembly="AjaxControlToolkit" Namespace="AjaxControlToolkit" TagPrefix="cc1" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title></title>
</head>
<body>
    <form id="form1" runat="server">
    <asp:ScriptManager ID="ScriptManager1" runat="server">
    </asp:ScriptManager>
    <div>
        <asp:Panel ID="Popup" runat="server" Width="800px" Style="display: none;">
            <asp:LinkButton ID="Display" runat="server" Style="display: none;" OnClick="Display_Click" />
            <cc1:ModalPopupExtender ID="ModalPopupExtender" runat="server" TargetControlID="Display"
                PopupControlID="Popup" DropShadow="false" Y="10" />
            <div id="Item">
                <div class="Item">
                    <table width="100%">
                        <tr>                                
                            <td>
                                <textarea id="txtAreaValue" cols="35" rows="6" style="resize: none;" runat="server" />
                            </td>
                        </tr>
                        <tr>                                
                            <td>
                                <asp:Button ID="btnOk" Text="Ok" SkinID="default" Width="50px" runat="server" />
                                <asp:Button ID="btnCancel" Text="Cancel" SkinID="default" Width="50px" OnClick="BtnCancel_Click"
                                    runat="server" />
                            </td>
                        </tr>
                    </table>
                </div>
            </div>
        </asp:Panel>
    </div>
    </form>
</body>
</html>

Code Behind:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;

namespace WebApplication1
{
    public partial class WebForm1 : System.Web.UI.Page
    {
        protected void Page_Load(object sender, EventArgs e)
        {
            ModalPopupExtender.Show();
            string str = "<?xml version=\"1.0\" encoding=\"utf-8\"?><XmlConfig xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"> <XmlConfig Type=\"TEST\" DefiningXpath=\"/PERSON/NAME\"><Index Name=\"Name\" XPath=\"/PERSON/NAME/VALUE\" Type=\"String\" /><Index Name=\"Id\" XPath=\"/PERSON/NAME/ID\" Type=\"String\" /> </XmlConfig></XmlConfig>";

            txtAreaValue.InnerText = str;
        }

        protected void Display_Click(object sender, EventArgs e)
        {
            //Shows the Item detail Edit box
            ModalPopupExtender.Show();
        }

        protected void BtnCancel_Click(object sender, EventArgs e)
        {
            ModalPopupExtender.Hide();
        }
    }
}

To run the code.. Add ref to AjaxControltoolkit.dll and then run and you will see the textarea being populated with xml. Click on the cancel button and this causes the error. Please can anyone help me?

Answer 1

Use

<httpRuntime requestValidationMode="2.0" />

in your web.config (keeping any attributes you already have on that element, if it's already there). ASP.NET4.0 ignores ValidateRequest otherwise.

And, of course, do make sure that you take necessary measures to protect against genuinely dangerous requests, now that it's not being done for you.

Edit: A great way of doing this is to create your own class derived from RequestValidator, and using the 4.0 behaviour, but with that as the class that does the checking.

Answer 2

Here are possible solution which may help you. Make server side configuration setting for this. If you want to allow HTML element as input from selected pages in your project than you set this page attribute.

<%@ Page ValidateRequest="false" %>

This ValidateRequest="false" on each page. If you want in all pages in you project than make changes in Web.Config file. Add this tag In section.

If you are using .Net 4.0 than you have to make one more change in Web.Config file. Add this tag In section.

<httpRuntime requestValidationMode="2.0" />

Here are configuration for do not validate request for all pages in .Net 4.0

<configuration>
  <system.web>
     <httpRuntime requestValidationMode="2.0" />
  </system.web>
  <pages validateRequest="false">
  </pages>
</configuration>

Here is full example on this. Click Here...

Answer 3

Well, people are talking about Asp.net 4.0 only... I guess we need to address other versions too. Today, I had the same problem when I replaced my AjaxToolkit editor with TinyMCE and with the postback I found the same issue.

"A potentially dangerous Request.Form value was detected from the client"..

So I used this line inside my webconfig and it worked for me.

<system.web>
    <pages validateRequest="false" />
</system.web>

It should work across Asp.net 2.0 to 3.5.

UPDATE: Even works upto .net 4.5

UPDATE: You can also try to validate the request on page level rather whole website. Just wanted to let the readers to choose the best way. Thanks DVD for pointing this out.