How to prevent "A potentially dangerous Request.Form...."?

Hi all,
I get the following error:
----------
A potentially dangerous Request.Form value was detected from the client (text="...opi fäsö,-<sdfjllk").
Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (text="...opi fäsö,-<sdfjllk").

Source Error:


An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.       

Stack Trace:




[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (text="...opi fäsö,-<sdfjllk").]
   System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName)
   System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName)
   System.Web.HttpRequest.get_Form() +113
   System.Web.UI.Page.GetCollectionBasedOnMethod()
   System.Web.UI.Page.DeterminePostBackMode()
   System.Web.UI.Page.ProcessRequestMain()
   System.Web.UI.Page.ProcessRequest()
   System.Web.UI.Page.ProcessRequest(HttpContext context)
   System.Web.CallHandlerExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute()
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
----------

I use a normal <form action="post"> and a normal <texarea>, both do NOT use "runat=server".

The text that causes this crash contains a "<", if I take it out, it's not dangerous anymore.

Any ideas, WHY this is happening... and more important, how to prevent it?

Thank you.
SmoerbleAsked:
Who is Participating?
 
gsiricCommented:
WHY this is happening:
 Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted.

how to prevent it?
You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section.

Page directive:

<%@ Page ... validateRequest="false" %>
 
configuration section:

<system.web>
   <pages validateRequest="false" />
</system.web>

Look more at:
http://www.aspnetpro.com/NewsletterArticle/2004/03/asp200403dk_l/asp200403dk_l.asp

0
 
msdixonCommented:
in your page directive (the top of the page in html view that starts <%@ Page) add ValidateRequest="false"

this will tell .net not to worry about html characters. they do it so if someone tries to post html to a message board, etc., (something like "<b>all bold", a script, you get the idea) it won't screw everything up.
0
 
Rodney HelsensCommented:
These guys have answered your question, I thought I would add a few comments.

If you don't know what cross site scripting and you're developing a web application, you will want to learn sooner rather than later.

Here is one article on XSS with some SQL Injection thrown in for good measure
http://dotnetjunkies.com/WebLog/richard.dudley/articles/13706.aspx

0
 
SmoerbleAuthor Commented:
Very good link, and many thanks for the helps above, here are the points (unfortunatly I can't give more than 500).
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.