Potentially dangerous Request.Form value was detected from the client

Question

I am running an ASP.Net MVC application and facing the following error. As I am new to ASP.Net, could someone please help me as to what does it mean and how can I resolve it?

I tried googling to understand it, but found different answers for the same error which left me more confused.

Exception caught in Global.asax:System.Web.HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (ctl00$MainContent$WarningCtl1$TXTWarningText="

This is the warni..."). at System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) at System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, RequestValidationSource requestCollection) at System.Web.HttpRequest.get_Form() at System.Web.HttpRequest.get_HasForm() at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull) at System.Web.UI.Page.DeterminePostBackMode() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest() at System.Web.UI.Page.ProcessRequest(HttpContext context) at ASP.app_config_appttypes_groupappttypes_aspx.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Please suggest.

Answer 1

You need to add the ValidateInputAttribute to your controller (which applies it to all of your action methods for that controller, so be careful):

[ValidateInput (false)]
public class MyController : Controller { ... }

Or your action method:

public class MyOtherController : Controller
{
    [ValidateInput (false)]
    public ActionResult MyActionMethod (MyObjectThatTakesInHtml myObject)
    { ... }
}

Edit

As @dotjoe pointed out, and I forgot to mention, you also have access to the AllowHtmlAttribute (found in System.Web.Mvc) on a property in your model.

public class MyObjectThatTakesInHtml
{
    [AllowHtml]
    public string MyHtmlProperty { get; set; }
}

Answer 2

• Encode at client level and decode it in Server Level

Steps

1.Post the form using jquery submit method.

in jquery button click event method encode field that you want to post to server. example

$("#field").val(encodeURIComponent($("#field").val())) $("#formid").submit();

In Controller Level access all form id value using

HttpUtility.UrlDecode(Request["fieldid"])

Make sure controller method dont have parameter.