potentially dangerous Request.Form value was detected

Jun 10, 2011 at 3:40 PM
Edited Jun 10, 2011 at 3:48 PM

Ok, so every time I go to make a change, whether it's a change to textbox widget, or uploading a photo to a post, I get this error:

Saving a post still works though, thankfully.

UPDATE: It also does it when switching to the HTML editor on the post view. Seems to be an issue with accepting anything with HTML in it.


Thanks in advance!

Server Error in '/' Application.

A potentially dangerous Request.Form value was detected from the client (widget$txtText="<div style="line-hei...").

Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. To allow pages to override application request validation settings, set the requestValidationMode attribute in the httpRuntime configuration section to requestValidationMode="2.0". Example: <httpRuntime requestValidationMode="2.0" />. After setting this value, you can then disable request validation by setting validateRequest="false" in the Page directive or in the <pages> configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. For more information, see http://go.microsoft.com/fwlink/?LinkId=153133.

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (widget$txtText="<div style="line-hei...").

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (widget$txtText="<div style="line-hei...").]
   System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +8730676
   System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, RequestValidationSource requestCollection) +122
   System.Web.HttpRequest.get_Form() +114
   System.Web.HttpRequest.get_Item(String key) +40
   BlogEngine.Core.Web.HttpModules.CompressionModule.ContextPostReleaseRequestState(Object sender, EventArgs e) +124
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +148
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75
Jun 10, 2011 at 4:00 PM

Take a look at this thread for examples. It basically comes down to two requirements:

1.  validateRequest="false" in page directive (should already be there)

2. <httpRuntime requestValidationMode="2.0" /> in web.config 

Jun 10, 2011 at 4:04 PM

Hmmm, I've already tried that once, but maybe I did it incorrectly. I'll give it another go!


Jun 10, 2011 at 4:16 PM

Well, it worked this time. Strange, but thanks rtur!

Aug 5, 2011 at 2:45 PM

Hey, this fixes the same issue for me.  It was already set in the page directive, but I had to add it in config.

Question: Doesn't disabling this validation open the application to some serious security risks?


Aug 5, 2011 at 11:20 PM

The 2nd one (<httpRuntime .... />), this is safe as it's just telling IIS to allow validation to occur at the ASP.NET level.  Without this, nothing can get thru as IIS is too strict.

The 1st one (validateRequest="false") is what gets evaluated at the ASP.NET level (if you don't do the 2nd one with <httpRuntime.. />, then this validateRequest one never gets looked at).  Setting validateRequest to false does turn off built in ASP.NET validation and means that the application is responsible for validating the data itself.  Several pages in BE have validateRequest set to false ... the main reason is to allow HTML/WYSIWYG content to come thru.  BE is validating or encoding the incoming data where validateRequest is set to false.  In ASP.NET, requestValidation is true by default which is generally good as you want the built-in validation by default when you are starting off a new application ... i.e. secure by default.  It's fine to turn it off as long as you then secure your application.