Isn't dangerous if I set ValidateRequest to false?

Question

I'm using FreeTextBox HTML editor in some webforms in my asp.net project . if I do not set ValidateRequest property to false I get this error :

A potentially dangerous Request.Form value was detected from the client

It's OK in admin folder though , Because only authorized users have access to work with it . But how about public pages like sections where every users have access to leave comments(using FreeTextBox for collecting users comment ) ? Isn't risky for XSS Attack ? If the answer is not Yes , So what's ValidateRequest property for ?

Answer 1

Nope you are correct this is potentially dangerous. The idea behind it is that .net doesn't want to restrict what can be done with it's controls, but at the same time remove many of the possibilities for a security hole. The ValidateRequest property is there so you can tell ASP.NET, "Hey don't worry about this. I'm going to validate it myself, because I expect something that may look dangerous to you."

It's set to validate responses by default, because not validating potential xss attacks is dangerous, and it's better to get a validation error that you didn't realize than have your site hacked.

Answer 2

Yes, it's OK to disable the request validation.

The request validation catches the most common characters and phrases used in XSS attacks and similar, but it can not catch every possible way of doing an exploit. So, while the request validation offers protection from most exploits, you are never completely protected by it, you still have to treat all input as potentially evil.

The first purpose of the request validation is to protect applications that are built by people who are clueless about XSS attacks and similar, so that they are not completely unprotected. If you know how to treat input correctly, and also manage to implement that correctly, the request validation is not needed.