Page 1 of 1

Potentially dangerous Request.Form value was detected from the client

#1 anonymouscodder  Icon User is offline

  • member icon

Reputation: 126
  • View blog
  • Posts: 710
  • Joined: 01-January 10

Posted 05 June 2011 - 02:20 PM

The error
When the user submits a form filled with a HTML tag to the server, ASP.NET checks if there is any tag in the form, and if there is it show an error:

Quote

A potentially dangerous Request.Form value was detected from the client.
Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.

Attached Image

Why?
ASP.NET checks the content of the form sent to the server to prevent cross-site scripting(xss). Without the request validation feature, a user could, for example, sent a form with a javascript that redirects to another website. Then when you show that content, it is interpreted by the browser that executes the script. Note that anything between '<' and '>' is considered dangerous, and it doesn't have to necessarily closes the tag with '<' ("<a" would have be considered potentially dangerous). ASP.NET validates query string as well.

Try it:
<%@ Page Language="C#" ValidateRequest="false" %>
<html>
    <script runat="server">
        void submitclick(Object sender, EventArgs e) { Response.Write(textbox.Text); }
    </script>
    <body>
        <form runat="server">
            <asp:TextBox id="textbox" runat="server" Text="<script>window.location='http://google.com'</script>"/>
            <asp:Button id="submitbutton" runat="server" onclick="submitclick" Text="Submit" />
        </form>
    </body>
</html>


The problem
This feature works fine but what if you do need the user to enter content between the characters '<' and '>'? And even if you want to restrict the user input, how do you show the error in a friendly way?

First-off
To deal with this by yourself you have to disable the request validation feature. You have to because the validation is done by ASP.NET before any of your code.

You can disable the request validation in the page by setting the attribute validateRequest to false:
<%@ Page ValidateRequest="false" %>


Or you can disable it for your entire application in the web.config file:
<configuration>
    <system.web>
        <pages validateRequest="false" />
    </system.web>
</configuration>


Encoding the content
You can use the method Server.HTMLEncode to encode the characters to their HTML encoded equivalent. '<' is converted to &lt; and '>' to &gt;. This way they are interpreted as simply characters, as text.

Try it:
<%@ Page Language="C#" ValidateRequest="false" %>
<html>
    <script runat="server">
        void submitclick(Object sender, EventArgs e) { Response.Write(Server.HtmlEncode(textbox.Text)); }
    </script>
    <body>
        <form runat="server">
            <asp:TextBox id="textbox" runat="server" Text="<script>window.location='http://google.com'</script>"/>
            <asp:Button id="submitbutton" runat="server" onclick="submitclick" Text="Submit" />
        </form>
    </body>
</html>


Friendly error message
If you want to make the user ensure that the content does not contain dangerous value you can use your own validator.

Try it:
<%@ Page Language="C#" ValidateRequest="false" %>
<html>
    <script runat="server">
        void submitclick(Object sender, EventArgs e) { Response.Write(textbox.Text); }
    </script>
    <body>
        <form id="Form1" runat="server">
            <asp:TextBox id="textbox" runat="server" Text="<script>window.location='http://google.com'</script>"/>
            <asp:Button id="submitbutton" runat="server" onclick="submitclick" Text="Submit" />
            <asp:RegularExpressionValidator runat="server" ControlToValidate="textbox" ValidationExpression="^[\w]+$" ErrorMessage="Use only alphanumeric characters" />
        </form>
    </body>
</html>


Changing the content
Another approach is to remove the tags from the user input.

Try it:
<%@ Page Language="C#" ValidateRequest="false" %>
<html>
    <script runat="server">
        void submitclick(Object sender, EventArgs e) { Response.Write(Regex.Replace(textbox.Text, "\\<[^\\>]*>", "")); }
    </script>
    <body>
        <form id="Form1" runat="server">
            <asp:TextBox id="textbox" runat="server" Text="<script>window.location='http://google.com'</script>" />
            <asp:Button id="submitbutton" runat="server" onclick="submitclick" Text="Submit" />
        </form>
    </body>
</html>


Remember
When disabling the validation request on the page make sure to validate all input from that page.
When disabling the request validation on the application make sure to validate the entire application.

Important
The examples are just to illustrate the given solution, remember to validate as well at the server side.

References
How To: Prevent Cross-Site Scripting in ASP.NET
Inside the new ValidateRequest feature - Followers of the IHttpHandler
Cross-site scripting - Wikipedia, the free encyclopedia

Is This A Good Question/Topic? 0
  • +

Replies To: Potentially dangerous Request.Form value was detected from the client

#2 anonymouscodder  Icon User is offline

  • member icon

Reputation: 126
  • View blog
  • Posts: 710
  • Joined: 01-January 10

Posted 13 July 2011 - 11:55 AM

Just to add, if you are using ASP.NET 4 you may have to add to your web.config between <system.web> tags:
<httpRuntime requestValidationMode="2.0" />


Explanation below:

Quote

* 4.0 (the default). The HttpRequest object internally sets a flag that indicates that request validation should be triggered whenever any HTTP request data is accessed. This guarantees that the request validation is triggered before data such as cookies and URLs are accessed during the request. The request validation settings of the pages element (if any) in the configuration file or of the @ Page directive in an individual page are ignored.

* 2.0. Request validation is enabled only for pages, not for all HTTP requests. In addition, the request validation settings of the pages element (if any) in the configuration file or of the @ Page directive in an individual page are used to determine which page requests to validate.

http://msdn.microsof...dationmode.aspx

This post has been edited by anonymouscodder: 13 July 2011 - 11:55 AM

Was This Post Helpful? 0
  • +
  • -

Page 1 of 1