How to fix error ‘A potentially dangerous Request.Form…’ – even when ‘ValidateRequest’ set to false.
ASP.NET provides default protection against cross-site scripting (XSS) attacks by the request validation feature. It checks the data being sent to the server. For example, if someone entered into text box HTML tags instead of a plain text, such entry generates error: ‘A potentially dangerous Request.Form value was detected from the client…’. So this entry simply will not let to the web server.
But sometimes you need the entry as HTML formatted data instead of the plain text – for example when you use Content Management System for your web site and want to write some formatted content.
For such purposes in all versions of .NET Framework (till v. 4.0) it was possible to set at web page directive ValidateRequest to false – this disabled request validation for that page. Sample:
<%@ Page Language="C#" ValidateRequest="false" AutoEventWireup="true" …
But now since version .NET Framework 4.0 even setting ValidateRequest="false" still generates error ‘A potentially dangerous Request.Form…’.
And Microsoft articles don’t explain that from now it is necessary to add such setting to web.config file:
Sample:
So this setting in web.config file and ValidateRequest="false" in a web page will fix the error.
| So to add such setting to web.config file |