ASP.Net error: A potentially dangerous Request.Form value was detected from the client

0
votes

I am getting this error in my asp.net page:

A potentially dangerous Request.Form value was detected from the client (ctl00$DefaultContent$UCSimpleSearch$txtFind="$%^&#%^&@#%@").

I get this error when I type $%^&#%^&@#%@ in a textbox of this page and hit submit.

How do I overcome this error? Is it recommended to set validateRequest=false in the Page directive to get rid of this?

4
asp.net

4 Answers

2
votes

Setting ValidateRequest to false is one way to work around this error. What you have to decide is whether or not any of these characters are valid input characters for your form. If they are then you need to turn this off and ensure that you handle all user input correctly.

I can't seem to find a list of the dangerous characters, so if anyone knows one it would be of value to have a link to it.

Some good information can be found here.

As a general rule you should always be html encoding any data you place on your site so turning this off should not cause any harm. However if you are not sure if you are, it is best to leave it on and not allow this data in your form.

1
votes

putting validateRequest=false in the page directive should only be done if you're sure you're going to validate it yourself and you want to have anything anyone can think of to be posted to your server.

if that string you typed in is valid input you will need to disable request validation.

0
votes

Is it recommended to set validateRequest=false in the Page directive to get rid of this?

If you can handle the validation of the textbox input explicitly, why not?

-1
votes

It means that you can't post values containing HTML tags to the server, It was added very earlier versions of .net framework for security reasons

If you have to enable users posting html tags you can add validateRequest="false" to the page directive