A few days ago, while working on an ASP.NET 4.0 Web project, I got following issue.
“A potentially dangerous Request.Form value was detected from the client…..”
This issue occurred when I tried to enters some non-encoded HTML content as a product details into the rich textbox.
e.g.: “<p>Hello</p>”After enter the above html data in Rich Textbox and I tried to insert data then I got error message like
Why this happened?
ASP.Net By default validates all input controls for potentially unsafe contents that can lead to Cross Site Scripting and SQL Injections. Thus it disallows such content by throwing the above Exception. By default it is recommended to allow this check to happen on each postback.
Some .NET controls will automatically encode the HTML output. For instance setting the Text property on a TextBox control will automatically encode it, that specifically means converting "<" into "<", ">" into ">" and "&" into "&" etc.
How to solve?
First Method:
Now, to eliminate this error we need to set ValidateRequest="false" in @Page line of web page directive in that .aspx file or web.config file to solve security problems.
<%@ page language="C#" autoeventwireup="true" codefile="Default.aspx.cs"
inherits="_Default" validaterequest="false" %>
This will disable the validation of requests for the page you have set the ValidateRequest flag to false.
For .Net 4.0 or higher frameworks you will need to also add the following line in the <system.web> section to make the above work.
<httpruntime requestvalidationmode="2.0" />
Second Method:
If you want to disable this check throughout your Web Application you’ll need to set it false in your web.config <system.web> section. This will work as a global for your application.
<pages validaterequest="false" />
So your complete solution is please add following code into the web.config
<system.web>
<httpRuntime requestValidationMode = "2.0" />
<pages validateRequest = "false" >
</pages>
</system.web>
But I always recommend First method.
No comments:
Post a Comment