Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

A potentially dangerous Request.QueryString value was detected from the client when sending html markup from jquery post call to asp.net page

Tags:

jquery

ajax

security

asp.net

asp.net-ajax

I m making an ajax call using jQuery to an ASP.NET page which acts as my ajax server page to save the data which i am sending to it in the query string. In the ASP.NET page when i am trying to read the querystring i am getting this error:

A potentially dangerous Request.QueryString value was detected from the client...

I have set the ValidateRequest="false" in my page. Dont want to set it for all the pages. So did it in page level instead of config level:

  var content = "<h3>Sample header</h3><p>sample para</p>"
  content = encodeURIComponent(content);
  var url = "../Lib/ajaxhandler.aspx?mode=savecontent&page=home&ltxt=" + content;

     $.post(url, function (data) { 
       //check return value and do something
   });

and in my asp.net page:

 <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="ajaxhandler.aspx.cs" ValidateRequest="false" Inherits="MyProject.Lib.ajaxhandler" %>

But when i am sending plain text instead of the html markup, it works fine.

like image 910
Shyju Avatar asked Oct 07 '10 20:10

Shyju

2 Answers

If this is ASP.NET 4, there was a breaking change with ValidateRequest. See this StackOverflow question for more information on requestValidationMode.

like image 187
Forgotten Semicolon Avatar answered Oct 29 '22 17:10

Forgotten Semicolon

There's already a good answer for this, and here i'll provide the information so that you don't have to click through links.

When running ASP.NET 4.0, you will need to set the following in your web.config file RequestValidationMode="2.0".

What is this property for?

A value that indicates which ASP.NET version-specific approach to validation will be used. The default is 4.0.

So what are the possible values?

  • 4.0 (the default). The HttpRequest object internally sets a flag that indicates that request validation should be triggered whenever any
    HTTP request data is accessed. This guarantees that the request
    validation is triggered before data such as cookies and URLs are
    accessed during the request. The request validation settings of the
    pages element (if any) in the configuration file or of the @ Page
    directive in an individual page are ignored.

  • 2.0. Request validation is enabled only for pages, not for all HTTP requests. In addition, the request validation settings of the pages element (if any) in the configuration file or of the @ Page directive in an individual page are used to determine which page requests to validate.

Information citated from this msdn site.
like image 9
Jim Aho Avatar answered Oct 29 '22 15:10

Jim Aho
Sign in to Comment

Related questions

Display label text with line breaks in c#
URL Routing, Image Handler & "A potentially dangerous Request.Path value"
asp.net core 2.0 - Value cannot be null. Parameter name: connectionString
System.ArgumentException: The table type parameter must have a valid type name
How can I export a GridView.DataSource to a datatable or dataset?
How to implement "Access-Control-Allow-Origin" header in asp.net
how to response.write bytearray?
Pass C# ASP.NET array to Javascript array
How to set radio button selected value using jquery
ASP.NET core, change default redirect for unauthorized
Nested Repeaters in ASP.NET
StyleBundle Index was outside the bounds of the array
Disable User in ASPNET identity 2.0
GridView Hide Column by code
Calling a method in parent page from user control
ASP.NET Excel export encoding problem
ASP.NET Site Maps
Cassette bundles vs MVC4 bundles
Adding Bundles to existing ASP.NET Webforms solution
Good ASP.NET excel-like Grid control? [closed]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!