Server Error in Application ... A potentially dangerous Request.Form value was detected ...
When entering a value with angled brackets into a text box on a .NET application the following error is generated in the browser:
Server Error in '/folder' Application.
A potentially dangerous Request.Form value was detected from the client (TextBoxN="...")
The .NET framework is throwing up an error because it detected something in the entered text which looks like an HTML statement. The text doesn't need to contain valid HTML, just anything with opening and closing angled brackets ("<...>").
The reason behind the error is as a security precaution. Developers need to be aware that users might try to inject HTML (or even a script) into a text box which may affect how the form is rendered. For further details see www.asp.net/learn/whitepapers/request-validation/.
This checking was not performed in the .NET 1.0 framework and was introduced with the .NET 1.1 framework.
The remedy is in two parts and you MUST action both:
- To disable request validation on a page add the following directive
to the existing "page" directive in the file (you will need to switch
to the HTML view for this):
for example if you already have:
<%@ Page Language="vb" AutoEventWireup="false" Codebehind="MyForm.aspx.vb" Inherits="Proj.MyForm"%>
then this should become:
<%@ Page Language="vb" AutoEventWireup="false" Codebehind="MyForm.aspx.vb" Inherits="Proj.MyForm" ValidateRequest="false"%>
In later versions of Visual Studio the value of this property is available via the page properties, so simply set "
ValidateRequest" to "
False". Either method of setting this achieves the same result.
If you are using .NET 4 then you will also need to add
httpRuntimeconfiguration section of the
web.configfile. For example:
If you don't already have a
httpRuntimesection in the
web.configfile then this goes inside the
Alternately, instead of turning validation off on a page by page basis you can turn request validation off globally (but in which case be sure to implement item two below). To globally turn request validation off add the following to your
<pages validateRequest="false" />
this should go within the
<system.web>section. This will turn off request validation for every page in your application. (For .NET 4 you will need to add the
web.configfile as mentioned in the note above.)
With request validation turned off, users will be able to enter html into text boxes on the page. For example entering:
- Unless you actually need users to be able to enter HTML, you must
convert the string to its HTML encoding equivalent - basically this
means that certain characters (like "
<") are converted to codes (so "
<" is converted to "
<", etc). To perform this conversion use
HttpUtility.HtmlEncode, for example:
MyLabel.Text = HttpUtility.HtmlEncode(MyTextBox.Text)
You only need to consider this for any text that will be rendered in the browser.
These notes are believed to be correct for .NET 1.1, .NET 2, .NET 3.5 and .NET 4.0, and may apply to other versions as well.
About the author: Brian Cryer is a dedicated software developer and webmaster. For his day job he develops websites and desktop applications as well as providing IT services. He moonlights as a technical author and consultant.