none
A potentially dangerous Request.Form value was detected from the client

    Question

  • We have a DOT.NET app that we paste info into. Sometimes the text contains characters which seem to offend dot.net. So the application breaks. How we intecept these breaks and then decide for ourselves if the content is really "potentially dangerous" or not?

    The same string even breaks this "post a new message".

    Tuesday, July 11, 2006 4:31 PM

Answers

  • Is this happening in a web app? If so you may want to direct it to the ASP.NET forums where the folks there tend to think in a more ASP.NET centric sort of way.

    Also if it is and you are sure that you are doing enough clensing and validation of the input to prevent injection attacks you may want to consider turning off validateRequest for the page or application.

    Tuesday, July 11, 2006 4:42 PM
  • hfrmobile, when you post a follow up question to an already question no one but those who previously posted to the first are able to answer it... instead if you still need an answer to your question post it as a separate one.

     

    Given you are really talking ASP.NET though you shoudl probably direct your question over to the ASP.NET forums.

    Monday, September 03, 2007 9:19 PM

All replies

  • Is this happening in a web app? If so you may want to direct it to the ASP.NET forums where the folks there tend to think in a more ASP.NET centric sort of way.

    Also if it is and you are sure that you are doing enough clensing and validation of the input to prevent injection attacks you may want to consider turning off validateRequest for the page or application.

    Tuesday, July 11, 2006 4:42 PM
  • What Brendan said is absolutely true.

    if you have things like script tags or html tags (<>)  then that will be considered as an unsafe/dangerous input as soon as you press a button or whatever....

    As suggested, you can turn off the validateRequest or you can have your own client side scripting to deal with inputs.

    Tuesday, July 11, 2006 5:15 PM
  • Hi,

    only for some pages in our Web application I set ValidateRequest="false" and implemented a CustomValidator to check TextBox entries if they contain "dangerous text".

    Which "rules" does ValidateRequest apply to determine what is dangerous and what is not?

    e.g.
    This ist an arrow --> which is safe
    This <test is NOT safe.

    I'd like to re-use the .NET Framework code which checks for dangerous content. Exists there a method like IsTextDangerous()?

    Otherwise I have to do all checks by myself (e.g. <script>, <object>, <applet>,  <form>, <embed>, ...)

    thx, hfr
    Thursday, August 30, 2007 10:02 AM
  • hfrmobile, when you post a follow up question to an already question no one but those who previously posted to the first are able to answer it... instead if you still need an answer to your question post it as a separate one.

     

    Given you are really talking ASP.NET though you shoudl probably direct your question over to the ASP.NET forums.

    Monday, September 03, 2007 9:19 PM
  • It is not very useful to create an new thread for each tiny question because this leads to the following:

    As suggested I searched at this forum for "ValidateRequest CustomValidator" and found 2429 items. If I search with AND then only 5 items are found but not including the answer of my simple question ;-)

    Maybe it's just a regular expression?

    Why is your answer mared as "helpful". It isn't ;-)
    Tuesday, September 04, 2007 10:08 AM
  • I disagree, while it does mean there are more threads that show up in a search (the actual post count doesn’t really change though), it means that your new thread will show up at the top of the list so more people can assist in answering it instead of hoping that one of the previous posters to the previous thread (the only ones who see that the thread has been posted to directly) check it and help... something that isn’t all that common on a thread that is a year old.

    Tuesday, September 04, 2007 3:47 PM
  •  Brendan Grant wrote:

    I disagree, while it does mean there are more threads that show up in a search (the actual post count doesn’t really change though), it means that your new thread will show up at the top of the list so more people can assist in answering it instead of hoping that one of the previous posters to the previous thread (the only ones who see that the thread has been posted to directly) check it and help... something that isn’t all that common on a thread that is a year old.



    I disagree too because it make no sense to post such nonsense like yours. Please try following options:
    Thank you very much!

    Edit: Ok, I am not a bad guy and so I started a new thread with my question (BTW: this thread is on top and not as you said it will be not ... each answer causes the thread do increase its ranking)
    Thursday, September 06, 2007 6:59 AM
  • hi...
     i got "potentially dangerous request.form value was detected from the client"... i used ur method Validaterequest="false"... it got sovled... thank you..

    Wednesday, June 17, 2009 9:43 AM
  • To Summarize, turning validate request off does solve the issue.

    How to turn off validate request:

    1. In web.config, add the following: this will turn off validate request on all pages

    <configuration>
    <system.web>
    <pages buffer="true" validateRequest="false" />

    2. In Page markup directive, add the following: this will turn off validate request on specific page

    ValidateRequest="false" %>

    Please mark this as answer to facilitate search as this page is search engine optimized.

    • Proposed as answer by Sile Huang Thursday, November 25, 2010 5:38 PM
    Thursday, November 25, 2010 5:38 PM
  • You need to do couple of modification to you application to get this fixed.Have a look.

    1. Add <httpRuntime requestValidationMode="2.0" /> in you application web.config

    2. Add RequestValidation="false" on your page

    A potentially dangerous Request.Form value was detected


    Saturday, November 27, 2010 9:30 PM
  • I had the same message when I was using wysiwyg editor CKeditor. The editor was sending unencoded html with the post. 
    I managed to get this value decoded and sent to the server.
    Here is my solution:
    http://arturito.net/2011/05/26/ckeditor-a-potentially-dangerous-request-form-value-was-detected-from-the-client/ 

    Wednesday, June 01, 2011 5:50 PM
  • I found a solution I'd like to share, as I fought this for a couple of days.  I didn't want to just turn off validation, as that seems like a fairly good idea.  Instead, what I did was created a JavaScript function like this that gets called from the onclientclick event of my buttons:

       

        <script type="text/javascript">
            function Encode() {
                var value = document.getElementById("<% = txtBody.ClientID %>").value;
                while (value.indexOf("<") != -1) {
                    value = value.replace("<", "&lt;");
                }
                while (value.indexOf(">") != -1) {
                    value = value.replace(">", "&gt;");
                }
                document.getElementById("<% = txtBody.ClientID %>").value = value;
            }
     </script>

    Obviosly, you'd need to replace the txtBody with the name of your control.  Then, in the page load event, update your control with a decoded version of what you posted (like this:)

    txtBody.Text = Server.HtmlDecode(txtBody.Text);
    This seems to work well, but needs to be added to any control on your page that does a postback.  If you use listboxes/dropdown lists that postback, since they have no onclientclick event, you'd need to do something like this:

    lstMailCodes.Attributes["onchange"] = "Encode()";

    Wednesday, December 26, 2012 8:58 PM
  • There are 3 options to remove this error.

    1. Set validateRequest="false" in page directives.

    2. Set validateRequest="false" in web.config file.

    3. Set requestValidationMode="2.0" in web.config if you are using DotNet 4.0

    Checkout this link for more info. 

    http://blogershub.com/Archive/2013/12/A-potentially-dangerous-Request-Form-value-was-detected-from-the-client-in-ASP-NET-WebForms


    • Edited by Samunder Singh Friday, February 21, 2014 5:52 AM URL update
    Friday, December 06, 2013 3:31 PM