Menu
here are the definations from MSDN,
4.0 (the default). The HttpRequest object internally sets a flag that indicates that request validation should be triggered whenever any HTTP request data is accessed. This guarantees that the request validation is triggered before data such as cookies and URLs are accessed during the request. The request validation settings of the pages element (if any) in the configuration file or of the @ Page directive in an individual page are ignored.
2.0. Request validation is enabled only for pages, not for all HTTP requests. In addition, the request validation settings of the pages element (if any) in the configuration file or of the @ Page directive in an individual page are used to determine which page requests to validate.
but I don't follow, can some help to explain a little bit?
302
You might have a look at this
Think of it as that not only request from .aspx pages are validated for malicous requests, rather than all requests are validated. This might result it websites breaking their functionality if they were upgraded from 2.0 to 4.0
To be honest, I don't now why certain request fail. So far I've only set my 4.0 apps back to 2.0 validation
<httpRuntime requestValidationMode="2.0" />
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
