Solved

How to prevent "A potentially dangerous Request.Form...."?

Posted on 2004-09-02
4
2,945 Views
Last Modified: 2012-06-27
Hi all,
I get the following error:
----------
A potentially dangerous Request.Form value was detected from the client (text="...opi fäsö,-<sdfjllk").
Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (text="...opi fäsö,-<sdfjllk").

Source Error:


An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.       

Stack Trace:




[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (text="...opi fäsö,-<sdfjllk").]
   System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName)
   System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName)
   System.Web.HttpRequest.get_Form() +113
   System.Web.UI.Page.GetCollectionBasedOnMethod()
   System.Web.UI.Page.DeterminePostBackMode()
   System.Web.UI.Page.ProcessRequestMain()
   System.Web.UI.Page.ProcessRequest()
   System.Web.UI.Page.ProcessRequest(HttpContext context)
   System.Web.CallHandlerExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute()
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
----------

I use a normal <form action="post"> and a normal <texarea>, both do NOT use "runat=server".

The text that causes this crash contains a "<", if I take it out, it's not dangerous anymore.

Any ideas, WHY this is happening... and more important, how to prevent it?

Thank you.
0
Comment
Question by:Smoerble
4 Comments
 
LVL 7

Accepted Solution

by:
gsiric earned 300 total points
ID: 11962808
WHY this is happening:
 Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted.

how to prevent it?
You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section.

Page directive:

<%@ Page ... validateRequest="false" %>
 
configuration section:

<system.web>
   <pages validateRequest="false" />
</system.web>

Look more at:
http://www.aspnetpro.com/NewsletterArticle/2004/03/asp200403dk_l/asp200403dk_l.asp

0
 
LVL 9

Assisted Solution

by:msdixon
msdixon earned 100 total points
ID: 11962823
in your page directive (the top of the page in html view that starts <%@ Page) add ValidateRequest="false"

this will tell .net not to worry about html characters. they do it so if someone tries to post html to a message board, etc., (something like "<b>all bold", a script, you get the idea) it won't screw everything up.
0
 
LVL 9

Assisted Solution

by:Rodney Helsens
Rodney Helsens earned 100 total points
ID: 11963244
These guys have answered your question, I thought I would add a few comments.

If you don't know what cross site scripting and you're developing a web application, you will want to learn sooner rather than later.

Here is one article on XSS with some SQL Injection thrown in for good measure
http://dotnetjunkies.com/WebLog/richard.dudley/articles/13706.aspx

0
 

Author Comment

by:Smoerble
ID: 11968393
Very good link, and many thanks for the helps above, here are the points (unfortunatly I can't give more than 500).
0

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Summary Displaying images in RichTextBox is a common requirement with limited solutions available. Pasting through clipboard or embedding into RTF content only support static images.  This article describes how to insert Windows control objects int…
Today I had a very interesting conundrum that had to get solved quickly. Needless to say, it wasn't resolved quickly because when we needed it we were very rushed, but as soon as the conference call was over and I took a step back I saw the correct …
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question