ASP.NET potentially dangerous Request.Form value

“A potentially dangerous Request.Form value was detected from the client”

I’ve received this bug report many times from users… Seems it’s a feature of ASP.NET that prevents dangerous code like scripts or injection attacks running in your pages. Turning this off is pretty simple. Just add the following to your web.config file.

<configuration>
  <system .Web>
    <pages ValidateRequest="false" />
  </system>
</configuration>
By Mikhail Esteves | December 18th, 2005 in C#/.NET, Tips

4 Comments

bkFebruary 14th, 2006 at 12:31 am

what a good idea! For once, MSFT warns you about a security issue and the solution is to disable the warning.

the tinmanApril 12th, 2006 at 3:06 am

Well, if MSFT provided a way to CONFIGURE this option, such that your code could still work, while the filter searched for OTHER dangerous requests, THAT would be the solution. Alas…

MrEyesOctober 10th, 2006 at 4:42 pm

Adding this to the web.config in the manner described above will disable validation for the entire site. This may or may not be desirable.

You can disable at a page level by adding the following:

validateRequest=“false”

To the

directive at the top of your page

codeprostituteJuly 3rd, 2007 at 6:55 pm

FYI – Should you choose to disable this, it is a good idea to use Server.HtmlEncode on the input value if the input will ever be displayed.

Leave a comment

Your comment