Search This Blog

Wednesday, September 19, 2007

System.Web.HttpRequestValidationException: A potentially dangerous Request.QueryString value was detected from the client (xx="xxxxx")

Error Message:
System.Web.HttpRequestValidationException: A potentially dangerous Request.QueryString value was detected from the client (xx="xxxxx")


For details discussion on the .Net Request Validation
http://dotnetfish.blogspot.com/2007/08/systemwebhttprequestvalidationexception.html

Causes:
By default, .Net will validate input (Form and QueryString). Input with special tags (HTML, Javascript and etc) will cause the error message shown.


Usage for .NET Request Validation:
This validation can help to prevent "Script Injection".

To turn off the validation: (Not encourage)
<%@Page ... validateRequest="true"%> to <%@Page ... validateRequest="false"%>

Solve the problem:
set ValidateRequest="true" and HTMLEncode the input
For example:
title = Server.HtmlEncode(Request.QueryString["title"].ToString());

No comments: