requestValidationMode 4.5 vs 2.0

Question

Is there a difference between requestValidationMode="4.5" and requestValidationMode="2.0"? I have a .net 4.5 application, there is a control which I don't want to validate, as users can enter html tags in:

<asp:TextBox ID="txtTitle" runat="server" ValidateRequestMode="Disabled" /> 

in my web.config i have:

<compilation debug="true" strict="false" explicit="true" targetFramework="4.5">...</compilation>  <httpRuntime targetFramework="4.5" requestValidationMode="2.0"  /> 

initially I have put requestValidationMode="4.5" but that didn't work, I would still get the error about the tags - "A potentially dangerous Request.Form value was detected from the client ..." as soon as would submit the form. However if I set it to requestValidationMode="2.0" it works, i'm able to hit the PageLoad and encode the value from that field.

Answer 1

Yes there is a difference between the two. Anything requestValidationMode specified as 4.0 or above will use the 4.0 way and any requestValidationMode specified as below 4.0 will use the 2.0 way. Below is a description of the two:

http://msdn.microsoft.com/en-us/library/system.web.configuration.httpruntimesection.requestvalidationmode.aspx

4.0 (the default). The HttpRequest object internally sets a flag that indicates that request validation should be triggered whenever any HTTP request data is accessed. This guarantees that the request validation is triggered before data such as cookies and URLs are accessed during the request. The request validation settings of the pages element (if any) in the configuration file or of the @ Page directive in an individual page are ignored.

2.0. Request validation is enabled only for pages, not for all HTTP requests. In addition, the request validation settings of the pages element (if any) in the configuration file or of the @ Page directive in an individual page are used to determine which page requests to validate.

As a note: There are other solutions, since you are using asp.net 4.5 you may want to look it to validating on a per control level, that way you can leave the requestValidationMode property in the web.config at 4.5 and only change it on controls that need it. http://msdn.microsoft.com/en-us/library/system.web.ui.control.validaterequestmode.aspx

Answer 2

I agree with Chris_dotnet's answer.

However, I would like to add a small side note:

In your web.config file, enclose the requestValidationMode="2.0" tag under the location tag so you only allow a specific page to have this "waiver" to skip the validation.

<location path="YourPage.aspx">   <system.web>     <httpRuntime requestValidationMode="2.0"/>   </system.web> </location>