Home Asp.net A potentially dangerous Request.Form value was detected from the client Error in...

A potentially dangerous Request.Form value was detected from the client Error in .NET

997
1

While working on an Asp.net web projects, We sometimes got an issue like A potentially dangerous Request from the client.
.
.
What does this error means? Simply it means when user enters non-encoded HTML content into a textbox or passing via querystring.

Here in this tutorial, I’ll explain how to resolve error like “A potentially dangerous Request.Form value was detected from the client” with cause and solution.

Error: A potentially dangerous Request

Server Error in ‘/’ Application.


A potentially dangerous Request.Form value was detected from the client (TextBox1=”<span>Hi, How are you?</span>”).

Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (TextBox1=”<span>Hi, How are you?</span>”).

The above exception occurs when ValidateRequest is set true (by default it sets to true) and someone tries to submit HTML content to server (for example, <span>Hi, How are you?</span>). When we parse this HTML content, this error comes since Asp.net tries to protect the application from Scripting Attacks. Most likely, it’ll comes when you’re working with Rich TextBoxes or Rich Text Editors to parse HTML content to server.

Error Cause:

The .NET framework is throwing up an error because it detected something in the entered text which looks like an HTML statement. The text doesn’t need to contain valid HTML, just anything with opening and closing angled brackets “<…>”.

The reason behind the error is as a security precaution. Developers need to be aware that users might try to inject HTML (or even a script) into a text box which may affect how the form is rendered. You can get more details at Request Validation – Preventing Script Attacks here.

Note: This checking was not performed in the .NET 1.0 framework and was introduced with the .NET 1.1 framework.

Error Solution:

To disable request validation to a specific page, we need to add the ValidateRequest=”false” to the existing Page directive in that .aspx file:

<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Example.aspx.cs" Inherits="Examples.Example" ValidateRequest="false" %>

Note: If you are using Asp.net 4.0+, you must needs to add or update the <httpRuntime requestValidationMode=”2.0″/> to the web.config file:

<configuration>
  <system.web>
    <httpRuntime requestValidationMode="2.0"/>
  </system.web>
</configuration>

Note: If you want to turn off validation request globally for every page, you need to add the <pages validateRequest=”false” /> line with above validation mode statement in the existing web.config file:

<configuration>
  <system.web>
    <pages validateRequest="false" />
    <httpRuntime requestValidationMode="2.0"/>
  </system.web>
</configuration>
Note: I always avoid using the last solution because there is a huge security issue raise in globally declaration. The request validation feature in Asp.net provides a certain level of default protection against cross-site scripting (XSS) attacks.If you still wants to use the last option, then you don’t need to add the ValidateRequest=”false” in the Page directive of every .aspx page.
Previous articleFormat JSON Date String To Local DataTime Object Using JavaScript
Next articleDeserialize XML Document Data and Convert into .Net Array List
Hi there, I am Mayank, the man behind Technical Mack. I started AspnetO with a motive to educate people on various programming languages ranging from beginners to expert level. Through this blog, I aim to provide more insightful content.

1 COMMENT

  1. Hi,
    I have used the above in web config file, still i’m this error in my application.
    Note: In my source i’m not getting this error, but when i build the application and deploy in Live Server / Testing this occurs..

LEAVE A REPLY

Please enter your comment!
Please enter your name here

ten + 9 =