Alvaro Dias

ASP.NET Request Validation modes in ASP.NET 2.0, ASP.NET 4.0 and ASP.NET 4.5

My posts these days usually revolve around XAML. This one diverges a bit to blog about an issue I encounter in ASP.NET every few months or so and forget what I did to solve it.

Ever try posting some data involving special characters such as < or > or the such. For example, consider a webform with a textbox and a button which tries to do something with the contents of the textbox.

On Postback, you will get the following error.

A potentially dangerous Request.Form value was detected from the client
([TextBoxClientID]="[TextBoxText]").


Prior to .NET 4.0, if it was indeed justified to get that kind of input, we
could specify the ValidateRequest=”false” for the page and it would allow us to
post that data inspite of the potentially dangerous contents of the textbox.

The ValidateRequest=“false” can also be set at an application level by setting
it in the pages element in the web.config, however, I wouldn’t recommend it.

In ASP.NET 4.0, however, we have to do a little bit extra to get this to work.
The reason for this is that in .NET 4.0, by default, request validation gets
enabled for all http requests. So as to bypass this, we need to add the
following entry in the web.config file.

```

WARNING: If you decide to do this, be sure to validate the input yourself for malicious html or javascript.

To read more about this, here’s a link from the asp.net website for the white paper on all ASP.NET 4 breaking changes: http://www.asp.net/whitepapers/aspnet4/breaking-changes

ASP.NET 4.5 builds on this and provides a deferred request validation of all request data to defer request validation until the data is actually accessed.

Read all about this here: http://www.asp.net/vnext/overview/aspnet/whats-new#_Toc318097379