A potentially dangerous Request.Form

Question

Anyone know why I am getting the following error? I have debugging enabled.

Server Error in '/' Application.
--------------------------------------------------------------------------------

A potentially dangerous Request.Form value was detected from the client (strContent="<p>
test</p>
"). 
Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. 

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (strContent="<p>
test</p>
").

Source Error: 

The source code that generated this unhandled exception can only be shown when compiled in debug mode. To enable this, please follow one of the below steps, then request the URL:

1. Add a "Debug=true" directive at the top of the file that generated the error. Example:

  <%@ Page Language="C#" Debug="true" %>

or:

2) Add the following section to the configuration file of your application:

<configuration>
   <system.web>
       <compilation debug="true"/>
   </system.web>
</configuration>

Note that this second technique will cause all files within a given application to be compiled in debug mode. The first technique will cause only that particular file to be compiled in debug mode.

Important: Running applications in debug mode does incur a memory/performance overhead. You should make sure that an application has debugging disabled before deploying into production scenario.  

Stack Trace: 


[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (strContent="<p>
    test</p>
").]
   System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName) +8725306
   System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName) +111
   System.Web.HttpRequest.get_Form() +129
   System.Web.HttpRequest.get_HasForm() +8725415
   System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull) +97
   System.Web.UI.Page.DeterminePostBackMode() +63
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +6785
   System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +242
   System.Web.UI.Page.ProcessRequest() +80
   System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) +21
   System.Web.UI.Page.ProcessRequest(HttpContext context) +49
   ASP.ajax_create_new_page_aspx.ProcessRequest(HttpContext context) +37
   System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +181
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75



--------------------------------------------------------------------------------
Version Information: Microsoft .NET Framework Version:2.0.50727.3615; ASP.NET Version:2.0.50727.3618

possible duplicate of [Validation detected dangerous client input - post from TinyMCE in ASP.NET](http://stackoverflow.com/questions/1225472/validation-detected-dangerous-client-input-post-from-tinymce-in-asp-net) — Pieter van Ginkel, Feb 04 '11 at 11:26
Possible Duplicate : http://stackoverflow.com/questions/81991/a-potentially-dangerous-request-form-value-was-detected-from-the-client — Anuraj, Feb 04 '11 at 11:29

score 17 · Accepted Answer · answered Feb 04 '11 at 11:26

17

The post contains HTML elements (the <p> tag, in your case) - this can be indication of a cross site scripting attack, which is why asp.net does not allow it by default.

You should either HTML encode before submitting (best practice), or disable the warning and potentially expose yourself to XSS.

answered Feb 04 '11 at 11:26

Oded

463,167
92
837
979

1

The HTML post was intended, how to I encode to HTML using jQuery? – oshirowanen Feb 04 '11 at 11:36
2

@oshirowanen - see this SO question and answers: http://stackoverflow.com/questions/1219860/javascript-jquery-html-encoding – Oded Feb 04 '11 at 11:38
@Oded Hi. I wanted to ask you about your answer. it is bad practice to disable the asp.net checking.of ( potentially dangerous request...."). But here for example ( in SO) i want the users to be able to submit
- so there must be ajs mechanism which html encode it.....do you have any good libray for doing it ?
– Royi Namir Sep 24 '12 at 08:42
@RoyiNamir - Don't now of a good library, but the general way to do this is to allow HTML content for that specific field (I believe .NET 4.0 or possibly 4.5 has an attribute that lets you do this on a specific field) and whitelist only the tags that you want (so the validation would reject anything that is HTML and not `
`.
– Oded Sep 24 '12 at 09:31
@Oded Hi. I had a discussion with some people here and wanted to share their thoughts.... http://chat.stackoverflow.com/rooms/17056/discussion-between-royi-namir-and-quentin please tell me what you think - your opinion is important to me. – Royi Namir Sep 27 '12 at 07:18
@RoyiNamir - Quentin has some good points. What I posted is the most stark paranoid option. If course HTML encoding before submit is not enough (i.e. never trust the client), but so long as you keep the surface area of an attack small and are aware of the trade-offs and work to ensure you have coded and documented the code to that, you should be OK. Note that I do say "potentially" - if you are aware of the risks and know how to mitigate them - all the better and you will most likely be OK (I say probably, because _nothing_ is ever 100% certain). – Oded Sep 27 '12 at 08:30
So actually I can disable the validatin and when plotting to screen - just use HtmlEncode ( server side) in order to avoid XSS. ( this will save me the html encoding which doesnt meant to be from the first place) – Royi Namir Sep 27 '12 at 09:47
@RoyiNamir - That's pretty much the conventional way to do it. It avoids code injection, though you should be using the [AntiXss](http://wpl.codeplex.com/) toolkit to be sure. – Oded Sep 27 '12 at 09:50
Thanks Oded ( Doesn't it seems strange that the code of replacing html chars in js is so popular and Now I ask - for WHAT ? ) – Royi Namir Sep 27 '12 at 09:51
@RoyiNamir - Not surprising, as this would be what many developers would do to go around the issue instead of looking deeper. – Oded Sep 27 '12 at 12:21

score 6 · Answer 2 · edited Jun 13 '14 at 17:39

6

In the web.config file, within the tags, insert the httpRuntime element with the attribute requestValidationMode="2.0". Also add the validateRequest="false" attribute in the pages element.

<configuration>
  <system.web>
   <httpRuntime requestValidationMode="2.0" />
   <pages validateRequest="false" />
  </system.web>
</configuration>

edited Jun 13 '14 at 17:39

Leniel Maccaferri

94,281
40
348
451

answered Jun 29 '13 at 12:59

parisa

664
1
8
24

score 3 · Answer 3 · edited Jan 26 '16 at 15:28

3

It's because you have HTML tags in your POST request. To allow it you need to Set ValidateRequest= false in your @Page directives. But remember this can expose your site for Cross Site Scripting Attacks.

edited Jan 26 '16 at 15:28

Mykola

3,152
6
20
39

answered Feb 04 '11 at 11:35

Shekhar_Pro

17,252
7
47
77

ecasper · Answer 4 · 2018-12-13T16:15:04.643

3

Place [AllowHtml] attribute in your model.

edited Dec 13 '18 at 16:15

answered Sep 13 '18 at 20:15

ecasper

405
7
25

Willy David Jr · Answer 5 · 2017-08-16T02:44:29.633

1

If this is an MVC application you can apply this attribute on Controller Action level to ignore input validation:

[ValidateInput(false)]

edited Aug 16 '17 at 02:44

answered Aug 11 '17 at 09:08

Willy David Jr

6,916
3
34
45

score 0 · Answer 6 · answered Jan 07 '14 at 20:57

0

Make sure you're changing in the actual Web.config. I was changing it in Web.debug.config and Web.release.config files and it wouldn't work.

answered Jan 07 '14 at 20:57

codenesium

74
2
8

score 0 · Answer 7 · edited Jul 31 '16 at 05:19

I had to go hunting a little within my web.config file, specifically within the system.web xml section, to find where I could update the <pages> directives... as you noted. As soon as I added the validateReqest = "false" attribute to the pages directive within web.config file, it made everything whole again.

In my particular case, it is NOT on a production server however and this is not 'production' level code either. It's a private local server, with me only as the sole user in the environment so that makes me feel better about updating that setting. As below:

<system.web>
    <pages controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID" validateRequest="false" />
</system.web>

score 0 · Answer 8 · answered Jul 21 '20 at 18:21

i have ajax request with formdata so it has worked while using unvalidated keyword before retrieving data from the request. So you can try this way with tinymce text data here you don't need to modify your web config file also. my code is give below:

var data=Request.Unvalidated.Form["Key_word"];

A potentially dangerous Request.Form

8 Answers8

Linked