Pages

Search This Blog

Wednesday, August 29, 2007

System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client xxxxxx

Sometime we will received error message:

System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client xxxxxxx ..........

Normally what a developer do:

  1. Change <%@ Page ... validateRequest="true" %> to <%@ Page ... validateRequest="false" %>

  2. Change default in the web.config: from <system.web><validaterequest="true"></system.web> to <system.web>< validaterequest="false"></system.web>

This can prevent the error message shown but not actually not solving the problem. Let's continue discuss on what i mean. Usage for validateRequest="true" <%@ Page ... validateRequest="false" %><system.web>
validateRequest is useful to protect the script injection.

Lets take a simple application for current discussion:

A simple application with
ValidateRequest="true"



Containing a textbox, a button and a lable.



Once click on the button, the label will take the text from the textbox



Enter Good Day! and click on the button. Below result shown.



When enter <script>alert("Good Day!")</ script> and click on the button, error message below shown.
"A potentially dangerous Request.Form value was detected from the client (TextBox1="<script>alert("Good ..."). "
This is because user try to enter a script to ASP.NET input that can harmful to the application.



To make sure we didn't see this error message, we can change ValidateRequest="true" to ValidateRequest="false" but bear in mind that this may be dangerous to our application.

The script will be executed. If these script entered is harmful, then it will dangerous to our application and system.



The recommeded way is set ValidateRequest="true" and HTMLEncode the input.



Below result will be shown.



Please let me know whether this is helpful.


4 comments:

Unknown said...

this doesnt work as the error fires before the code gets to the htmlencode.

Seema Gosain said...

Hi
I tried it.But it does not work.
Still error is fire.

Anonymous said...

Bravo, the excellent answer.

Unknown said...

The content of the textbox has to ben encoded before post back, otherwise you still get the error