Request validation in ASP.Net 4.0
recently, while migrating one of our web applications to .NET Framework 4.0, we came across a following issue. The app’s main goal is to store some HTML articles in the database. However, when a user made a postback when saving an article, he got the following error message:
A potentially dangerous Request.Form value was detected from the client (ctl1…)
This kind of message is known to ASP.net 3.5 and 2.0 developers. The standard workaround for this issue was either to configure a single page not to validate request:
..or, globally for the whole application, via web.config:
<pages validateRequest="false" />
We had the second option chosen, since only a couple of trusted and authenticated users were using the app. But, as already said, the error came up after migration to 4.0 Framework. The request validation was disabled in the <pages> node, but for ASP.Net 4.0 it seems not to be enough.
There are some security improvements in the latest version of ASP.Net, protecting from cross-site-scripting (XSS) attacks. New default protection not only applies to aspx pages, but to all kind of requests, like web service calls and custom handlers, even when using our custom HTTP module(s).
That was the reason why our app threw errors which it didn’t do before. In order to restore previous behavior of ASP.Net applications one has to set the request validation mode backwards, for the 2.0 version. In web.config, you just add following attribute to the <httpRuntime> node:
<httpRuntime requestValidationMode="2.0" />
Hope this helps.