ASP.NET: A potentially dangerous Request.Form value was detected from the client

Question

I have a client that claims to get the server error "A potentially dangerous Request.Form value was detected from the client"

...and this is likely to be that html is entered and something I need to fix a better way of managing than validateRequest=true.

http://www.aspcode.net/A-potentially-dangerous-RequestForm-value-was-detected-from-the-client.aspx

But my client claims to have entered pure text and no html. What are the validation rules for an error? Only <>? Is there any other charactes I need to look out for?

/Niels

See if this helps: http://stackoverflow.com/questions/81991/a-potentially-dangerous-request-form-value-was-detected-from-the-client — o.k.w, Nov 25 '09 at 14:09

score 3 · Accepted Answer · edited Jan 18 '12 at 18:48

3

The trigger characters for validate request filtering are less-than and html character escape sequences (&#XX;).

More details here: http://keepitlocked.net/archive/2007/10/30/asp-net-validaterequest-and-the-html-attribute-based-cross-site-scripting.aspx

edited Jan 18 '12 at 18:48

OpenR

176
1
11

answered Nov 25 '09 at 19:20

RickNZ

17,965
3
46
65

ASP.NET: A potentially dangerous Request.Form value was detected from the client

1 Answers1