Solved

How to prevent "A potentially dangerous Request.Form...."?

Posted on 2004-09-02
4
2,937 Views
Last Modified: 2012-06-27
Hi all,
I get the following error:
----------
A potentially dangerous Request.Form value was detected from the client (text="...opi fäsö,-<sdfjllk").
Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (text="...opi fäsö,-<sdfjllk").

Source Error:


An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.       

Stack Trace:




[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (text="...opi fäsö,-<sdfjllk").]
   System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName)
   System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName)
   System.Web.HttpRequest.get_Form() +113
   System.Web.UI.Page.GetCollectionBasedOnMethod()
   System.Web.UI.Page.DeterminePostBackMode()
   System.Web.UI.Page.ProcessRequestMain()
   System.Web.UI.Page.ProcessRequest()
   System.Web.UI.Page.ProcessRequest(HttpContext context)
   System.Web.CallHandlerExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute()
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
----------

I use a normal <form action="post"> and a normal <texarea>, both do NOT use "runat=server".

The text that causes this crash contains a "<", if I take it out, it's not dangerous anymore.

Any ideas, WHY this is happening... and more important, how to prevent it?

Thank you.
0
Comment
Question by:Smoerble
4 Comments
 
LVL 7

Accepted Solution

by:
gsiric earned 300 total points
ID: 11962808
WHY this is happening:
 Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted.

how to prevent it?
You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section.

Page directive:

<%@ Page ... validateRequest="false" %>
 
configuration section:

<system.web>
   <pages validateRequest="false" />
</system.web>

Look more at:
http://www.aspnetpro.com/NewsletterArticle/2004/03/asp200403dk_l/asp200403dk_l.asp

0
 
LVL 9

Assisted Solution

by:msdixon
msdixon earned 100 total points
ID: 11962823
in your page directive (the top of the page in html view that starts <%@ Page) add ValidateRequest="false"

this will tell .net not to worry about html characters. they do it so if someone tries to post html to a message board, etc., (something like "<b>all bold", a script, you get the idea) it won't screw everything up.
0
 
LVL 9

Assisted Solution

by:Rodney Helsens
Rodney Helsens earned 100 total points
ID: 11963244
These guys have answered your question, I thought I would add a few comments.

If you don't know what cross site scripting and you're developing a web application, you will want to learn sooner rather than later.

Here is one article on XSS with some SQL Injection thrown in for good measure
http://dotnetjunkies.com/WebLog/richard.dudley/articles/13706.aspx

0
 

Author Comment

by:Smoerble
ID: 11968393
Very good link, and many thanks for the helps above, here are the points (unfortunatly I can't give more than 500).
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

A basic question.. “What is the Garbage Collector?” The usual answer given back: “Garbage collector is a background thread run by the CLR for freeing up the memory space used by the objects which are no longer used by the program.” I wondered …
Real-time is more about the business, not the technology. In day-to-day life, to make real-time decisions like buying or investing, business needs the latest information(e.g. Gold Rate/Stock Rate). Unlike traditional days, you need not wait for a fe…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now