A potentially dangerous Request.Form value

Question

In my ASP.NET application, I'm getting the the following error message during a POST with certain input:

A potentially dangerous Request.Form value was detected from the client

I know that this occurs because a feature of .NET called Request Validation is preventing potentially dangerous characters that could be used in an XSS attack from being submitted. However, I use an HTML editor and need to be able to turn this feature off for that editor.

I can do this in my web.config file, but it is globally affective - which I am not happy about because it disables this security feature on all fields in my application, not just the HTML editor.

I tried setting the ValidateRequest property of the Page directive in the specific pages I wanted to turn this off in, but unfortunately it did not work.

Can anyone think of any reason why this didn't work?

Edit

Well I got it working. Thank to your guys' help I was able to find a property in the editor that allowed encoding of the text area's content before form submission, so .net was ok with that - then before database insertion and re-rendering of the content I am decoding the content and all is almost well in the universe.

Now that the editor itself works, and no longer throws this error... I have encountered another problem and I am confused why this would even be a problem. I have breadcrumbs at the top of the page, when you click one of the breadcrumbs (linkbuttons) the page bombs with the same error ("A potentially dangerous Request.Form value..."). I'm confused as to why this would happen. Linkbuttons simply submit the form and post the page back on itself - the submit button does the same thing. So why would the submit button function correctly and not the linkbuttons for the breadcrumbs?

I should mention the breadcrumbs are in a user control - although I don't believe that should make a difference.

Thoughts?

Answer 1

I set ValidateRequest to false and it worked for me... That's what microsoft recommends to: http://www.asp.net/learn/whitepapers/request-validation/ . If you are using VS, maybe try cleaning and rebuilding?

I tend to do it in the @Page directive and not config file though, but you are the first I heard of it not working...

Answer 2

You really don't want to turn this off if you can avoid it because it does help prevent XSS attacks. It would be much better to find the actual cause of the problem. Typically this error is thrown if the viewstate in the page does not match the control set in the code behind. The primary reasons for this might be:

1. The application pool has a copy of the .dll in memory that does not match the html portion of the page.
2. If you are running cassini, stop debugging, stop the cassini server process, clean the solution and rebuild.
3. If you are experiencing this on a remote server, recycle the application pool, clear your page cache, and retry.
4. It is possible that the temporary asp.net files are unable to be rewritten following a recycle or a rebuild.
5. If you are on a remote server, stop the website, stop the application pool. Go to the appropriate Temporary ASP.Net files directory and delete the folder for your application.
6. If you are in cassini server, stop debugging, stop the cassini server process, and close VS. Then go to the temporary ASP.Net files and delete them all. Reload VS, clean/build. Try again.

Answer 3

Here is a jQuery trick to encode field value, in this case "textarea"

            $("textarea").each(function(i) {
                var $textbox = $(this);
                $textbox.val($('<div/>').text($textbox.val()).html());
            });