18 December 2005
ASP.NET potentially dangerous Request.Form value
Posted by Mikhail Esteves under: C#; Tips .
“A potentially dangerous Request.Form value was detected from the client”
I’ve received this bug report many times from users… Seems it’s a feature of ASP.NET that prevents dangerous code like scripts or injection attacks running in your pages. Turning this off is pretty simple. Just add the following to your web.config file.
<configuration>
<system .Web>
<pages ValidateRequest="false" />
</system>
</configuration>
asp.net, errors, debugging, tips 4 Comments so far...
bk Says:
14 February 2006 at 12:31 am.
what a good idea! For once, MSFT warns you about a security issue and the solution is to disable the warning.
the tinman Says:
12 April 2006 at 3:06 am.
Well, if MSFT provided a way to CONFIGURE this option, such that your code could still work, while the filter searched for OTHER dangerous requests, THAT would be the solution. Alas…
MrEyes Says:
10 October 2006 at 4:42 pm.
Adding this to the web.config in the manner described above will disable validation for the entire site. This may or may not be desirable.
You can disable at a page level by adding the following:
validateRequest=“false”
To the
directive at the top of your page
codeprostitute Says:
3 July 2007 at 6:55 pm.
FYI – Should you choose to disable this, it is a good idea to use Server.HtmlEncode on the input value if the input will ever be displayed.
