Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What does requestValidationMode="2.0" actually do?

Tags:

validation

asp.net-mvc

asp.net-mvc-3

asp.net-mvc-validation


I'm trying to solve a "A potentially dangerous Request.Form value was detected from the client" problem, and SO answers and Scott Hanselman recommend setting

<httpRuntime requestValidationMode="2.0" />

in Web.config (along with adding an attribute to problematic Methods).
I realize this changes the validation mode to ASP.NET 2.0's, but what does that mean?
And also, does this change has any side effects I should be aware of?

Thanks.

like image 792
Oren A Avatar asked Jun 01 '11 19:06

Oren A

2 Answers

Check out the description at MSDN's HttpRuntimeSection.RequestValidationMode Property.

2.0. Request validation is enabled only for pages, not for all HTTP requests. In addition, the request validation settings of the pages element (if any) in the configuration file or of the @ Page directive in an individual page are used to determine which page requests to validate.

like image 93
David d C e Freitas Avatar answered Oct 20 '22 07:10

David d C e Freitas

Take a look at ASP.NET Request Validation>

The request validation feature in ASP.NET provides a certain level of default protection against cross-site scripting (XSS) attacks. In previous versions of ASP.NET, request validation was enabled by default. However, it applied only to ASP.NET pages (.aspx files and their class files) and only when those pages were executing.

In ASP.NET 4, by default, request validation is enabled for all requests, because it is enabled before the BeginRequest phase of an HTTP request. As a result, request validation applies to requests for all ASP.NET resources, not just .aspx page requests. This includes requests such as Web service calls and custom HTTP handlers. Request validation is also active when custom HTTP modules are reading the contents of an HTTP request.

As a result, request validation errors might now occur for requests that previously did not trigger errors. To revert to the behavior of the ASP.NET 2.0 request validation feature, add the following setting in the Web.config file:

<httpRuntime requestValidationMode="2.0" />

However, we recommend that you analyze any request validation errors to determine whether existing handlers, modules, or other custom code accesses potentially unsafe HTTP inputs that could be XSS attack vectors.

like image 26
Hector Correa Avatar answered Oct 20 '22 08:10

Hector Correa
Sign in to Comment

Related questions

How can I use Nhibernate to retrieve data when the "WHERE IN()" have thousands of values? (too many parameters in the sql)
What is the default generator for CMake in Windows?
Avoid memory leaks on Android
Which scala compiler plugins are available?
Adding iPad support to an iPhone project: universal vs two separate apps? [closed]
HDF5 viewers/editors linux [closed]
Passing anonymous objects from a view to a partial view
Collecting Maven-based dependency's transitive dependencies to a non-Maven project's classpath
Understanding display:table-cell; functioning
How to enter rails console on production via capistrano?
Is it possible to re-use boost::spirit::qi grammar in another grammar definition?
When should i validate in-app purchase transaction receipt?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!