Solved

How to prevent "A potentially dangerous Request.Form...."?

Posted on 2004-09-02
4
2,964 Views
Last Modified: 2012-06-27
Hi all,
I get the following error:
----------
A potentially dangerous Request.Form value was detected from the client (text="...opi fäsö,-<sdfjllk").
Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (text="...opi fäsö,-<sdfjllk").

Source Error:


An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.       

Stack Trace:




[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (text="...opi fäsö,-<sdfjllk").]
   System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName)
   System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName)
   System.Web.HttpRequest.get_Form() +113
   System.Web.UI.Page.GetCollectionBasedOnMethod()
   System.Web.UI.Page.DeterminePostBackMode()
   System.Web.UI.Page.ProcessRequestMain()
   System.Web.UI.Page.ProcessRequest()
   System.Web.UI.Page.ProcessRequest(HttpContext context)
   System.Web.CallHandlerExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute()
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
----------

I use a normal <form action="post"> and a normal <texarea>, both do NOT use "runat=server".

The text that causes this crash contains a "<", if I take it out, it's not dangerous anymore.

Any ideas, WHY this is happening... and more important, how to prevent it?

Thank you.
0
Comment
Question by:Smoerble
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 7

Accepted Solution

by:
gsiric earned 300 total points
ID: 11962808
WHY this is happening:
 Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted.

how to prevent it?
You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section.

Page directive:

<%@ Page ... validateRequest="false" %>
 
configuration section:

<system.web>
   <pages validateRequest="false" />
</system.web>

Look more at:
http://www.aspnetpro.com/NewsletterArticle/2004/03/asp200403dk_l/asp200403dk_l.asp

0
 
LVL 9

Assisted Solution

by:msdixon
msdixon earned 100 total points
ID: 11962823
in your page directive (the top of the page in html view that starts <%@ Page) add ValidateRequest="false"

this will tell .net not to worry about html characters. they do it so if someone tries to post html to a message board, etc., (something like "<b>all bold", a script, you get the idea) it won't screw everything up.
0
 
LVL 9

Assisted Solution

by:Rodney Helsens
Rodney Helsens earned 100 total points
ID: 11963244
These guys have answered your question, I thought I would add a few comments.

If you don't know what cross site scripting and you're developing a web application, you will want to learn sooner rather than later.

Here is one article on XSS with some SQL Injection thrown in for good measure
http://dotnetjunkies.com/WebLog/richard.dudley/articles/13706.aspx

0
 

Author Comment

by:Smoerble
ID: 11968393
Very good link, and many thanks for the helps above, here are the points (unfortunatly I can't give more than 500).
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

IP addresses can be stored in a database in any of several ways.  These ways may vary based on the volume of the data.  I was dealing with quite a large amount of data for user authentication purpose, and needed a way to minimize the storage.   …
Today I had a very interesting conundrum that had to get solved quickly. Needless to say, it wasn't resolved quickly because when we needed it we were very rushed, but as soon as the conference call was over and I took a step back I saw the correct …
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question