Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How to prevent "A potentially dangerous Request.Form...."?

Posted on 2004-09-02
4
Medium Priority
?
2,976 Views
Last Modified: 2012-06-27
Hi all,
I get the following error:
----------
A potentially dangerous Request.Form value was detected from the client (text="...opi fäsö,-<sdfjllk").
Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (text="...opi fäsö,-<sdfjllk").

Source Error:


An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.       

Stack Trace:




[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (text="...opi fäsö,-<sdfjllk").]
   System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName)
   System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName)
   System.Web.HttpRequest.get_Form() +113
   System.Web.UI.Page.GetCollectionBasedOnMethod()
   System.Web.UI.Page.DeterminePostBackMode()
   System.Web.UI.Page.ProcessRequestMain()
   System.Web.UI.Page.ProcessRequest()
   System.Web.UI.Page.ProcessRequest(HttpContext context)
   System.Web.CallHandlerExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute()
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
----------

I use a normal <form action="post"> and a normal <texarea>, both do NOT use "runat=server".

The text that causes this crash contains a "<", if I take it out, it's not dangerous anymore.

Any ideas, WHY this is happening... and more important, how to prevent it?

Thank you.
0
Comment
Question by:Smoerble
4 Comments
 
LVL 7

Accepted Solution

by:
gsiric earned 1200 total points
ID: 11962808
WHY this is happening:
 Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted.

how to prevent it?
You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section.

Page directive:

<%@ Page ... validateRequest="false" %>
 
configuration section:

<system.web>
   <pages validateRequest="false" />
</system.web>

Look more at:
http://www.aspnetpro.com/NewsletterArticle/2004/03/asp200403dk_l/asp200403dk_l.asp

0
 
LVL 9

Assisted Solution

by:msdixon
msdixon earned 400 total points
ID: 11962823
in your page directive (the top of the page in html view that starts <%@ Page) add ValidateRequest="false"

this will tell .net not to worry about html characters. they do it so if someone tries to post html to a message board, etc., (something like "<b>all bold", a script, you get the idea) it won't screw everything up.
0
 
LVL 9

Assisted Solution

by:Rodney Helsens
Rodney Helsens earned 400 total points
ID: 11963244
These guys have answered your question, I thought I would add a few comments.

If you don't know what cross site scripting and you're developing a web application, you will want to learn sooner rather than later.

Here is one article on XSS with some SQL Injection thrown in for good measure
http://dotnetjunkies.com/WebLog/richard.dudley/articles/13706.aspx

0
 

Author Comment

by:Smoerble
ID: 11968393
Very good link, and many thanks for the helps above, here are the points (unfortunatly I can't give more than 500).
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This document covers how to connect to SQL Server and browse its contents.  It is meant for those new to Visual Studio and/or working with Microsoft SQL Server.  It is not a guide to building SQL Server database connections in your code.  This is mo…
A long time ago (May 2011), I have written an article showing you how to create a DLL using Visual Studio 2005 to be hosted in SQL Server 2005. That was valid at that time and it is still valid if you are still using these versions. You can still re…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
Suggested Courses

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question