Handling "A potentially dangerous Request.Form value was detected from the client" exception without setting validateRequest property to false

One more way to go, change the setting in page level (in the @page directive). Other than that, handle in global error is the only option left.

Oops..didn't read carefully your question. But I'm still with the same suggestion, handle it in global.asax's Application_Error event. Not a graceful approach, but that's the only option left.

Thanks for the answers :)

dharmesh:

I have added the following lines in the InitializeComponent() method:

this.Error +=new EventHandler(WebForm1_Error);

private void WebForm1_Error(object sender, EventArgs e)
{
   Response.Write(e.ToString());                  

}

However, the exception is still being thrown.

JHenry:

What I have to add in the Global.asax to prevent the application from crashing due to this error?

Thanks, Nauman.

I am able to handle that somehow on client side using javascript before the request is submitted:

function ClearHtmlTags()
            {
                  for(var i=0;i<document.forms[0].elements.length;i++)
                  {
                        if (document.forms[0].elements[i].type == "text" || document.forms[0].elements[i].type == "textarea")
                        {
                              if (document.forms[0].elements[i].value.indexOf("<") >= 0)
                              {
                                    do
                                    {
                                          document.forms[0][i].value = document.forms[0].elements[i].value.replace("<","&lt;")
                                    }
                                    while (document.forms[0].elements[i].value.indexOf("<") >= 0);
                              }
                              
                              if (document.forms[0].elements[i].value.indexOf(">") >= 0)
                              {      
                                    do
                                    {
                                          document.forms[0][i].value = document.forms[0].elements[i].value.replace(">","&gt;")
                                    }
                                    while (document.forms[0].elements[i].value.indexOf(">") >= 0);
                              }
                        }
                  }
            }
<form id="Form1" method="post" runat="server" onsubmit="javascript:ClearHtmlTags();">

Its working fine now :)

Any idea how I can restrict a textbox so that it doesnt accept the < and > signs?

Thanks, Nauman.

I hope praneetha's code could help you on this :o)
https://www.experts-exchange.com/questions/21368609/Client-Side-Validation-does-not-work.html

:o) I didn't know you don't actually need to take html tags from user input, in this case using client-side script and still have the validateRequest set to true shouldn't be a problem. But this malicious content could come not just from textbox or text area. It also can come in from cookie or http headers, so if you don't like to see that error message you still have to handle that in the global error event.

You also need to clear the error.

Server.ClearError in your WebForm1_Error otherwise the error will still propagate to the top and will have the effect as if the error was not handled.

But I think its a good idea to avoid the error in the first place with the code you posted.

Actually JavaScript has done the trick.  If I need to display the HTML code, I can easily use Server.HtmlDecode() to translate the relevant &lt;&gt; codes.

Thanks for the help :)

-Nauman.