I am using freetextbox and have added to the web.config of my app but I still get the following error when submitting text with html:
A potentially dangerous Request.Form value was detected from the client (ctl00_MainContent_FreeTextBox1="
I know this is not the preferred way to set up an app but why am I getting these errors even though I have turned off request validation in my app?
The short answer is you shouldn't be getting such an error if you turned off Request Validation.
Did you do one of these two things correctly?
Disable on the page by inserting this at the top of the ASPX
Add the below section to your web.config.
<configuration>
<system.web>
<pages validateRequest="false" />
</system.web>
</configuration>
If that doesn't work then check the machine.config and see if the pages validaterequest value is set to true in there as that would override the web.config.
I had the same problem, and it was actually my fault. Maybe you have done the same mistake: I placed <httpRuntime requestValidationMode="2.0"/> inside
<configuration><location><system.web> instead of <configuration><system.web>.
Ensure that you haven't enabled request validation for this page. I would keep validation running for your site - but turn it off on pages where you need this control.
Be sure to sanitize anything that gets posted and be prudent about security.
Related
I created web page where user can fill his detail.After clicking on button,user is redirected to another page.Suppose user enter something in address which include '<' or '>'I am changing it with it's htmlencode character through javascript onclientclick event of button to avoid error 'potentially dangerous Request'. and onclick event of button again,replacing htmlencode character to '<' or '>'.When user use browser's back button.He will see html encode character not '<' or '>'.Why this is happening,I already changed to '<' ?.How to handle this?I am using content page?I am using .net framework 4.5.
This feature is designed to help prevent some script-injection attacks.
To disabling request validation for your application, Please set the validateRequest =false in web config file.
<configuration>
<system.web>
<pages validateRequest="false" />
</system.web>
</configuration>
Please refer this link for more.
http://www.asp.net/whitepapers/request-validation
It looks like there is a bug in customErrors default redirect in web.config. In my web.config file I have the following customErrors setting
<customErrors defaultRedirect="~/generalerror.html?" mode="On" />
As far as I know this should send all errors to the custom generalerror.html page. It seems to work for some invalid URLS like
http://website.com/?x="<p>"
http://website.com/"<p>"
BUT it is not working when “&” is used in the URL and there is no “?” and there is an HTML tag. So this
http://website.com/&x="<p>"
totally ignores customErrors and you are given the default yellow Runtime Error instead of being sent to the custom generalerror.html page. How do I get this URL to also be redirected to the custom error page ?
If I turn mode="Off" in the web.config I get the following error
A potentially dangerous Request.RawUrl value was detected from the client (="/&x="<p>"").
Since you are passing HTML tags in the URL, it could be an indicative of cross-site scripting attack. Not all HTML tags are dangerous, but when HTML characters are followed by certain characters like '&' in your case, asp.net considers it as a cross-site scripting attack and doesn't allow it by default.
You should consider encoding the URL to get around this. And it is always a best practice. Here is a good explanation about XSS. And here is a link that explains in detail how to get around this issue.
To change this behavior, you can set request validation to false in web.config.
<configuration>
<system.web>
<pages validateRequest="false" />
</system.web>
</configuration>
But in this case, requests need to be validated in the pages.
Breaking changes were made to ASP.NET request validation in .NET 4.0 and this entry is required to revert the behavior to .NET 2.0 where invalid URLs will redirect to custom error page.
<httpRuntime requestValidationMode="2.0" />
I want to be able to save things like:
<script src="https://spreadsheets.google.com/gpub?url=http%3A%2F%2Foj0ijfii34kccq3ioto7mdspc7r2s7o9-ss-opensocial.googleusercontent.com%2Fgadgets%2Fifr%3Fup_title%3DBrands%26up_initialstate%26up__table_query_url%3Dhttps%253A%252F%252Fspreadsheets.google.com%252Fspreadsheet%252Ftq%253Frange%253DA%25253AE%2526key%253D0AqFjLMbUaBn_>
In an nvarchar(max) field, I get the following when I try to insert:
"Server Error in
'/TheScienceAndArtOfDataVisualization'
Application. A potentially dangerous
Request.Form value was detected from
the client
(ctl00$MainContent$txtCode="<script
src="https:/...")."
DeadYCool's answer will work if you want to disable request validation on all pages, if you just want to disable it on a specific page, you can set ValidateRequest="false" in the Page directive of the .aspx file.
<%# Page ValidateRequest="false"...
If you're using ASP.NET 4.0 you may also have to make a change to web.config:
<configuration>
<system.web>
<!-- Sad requirement to allow ValidateRequest="false" -->
<httpRuntime requestValidationMode="2.0" />
But it should be avoided if possible.
Please try not to disable this. HtmlEncode your results before you send them to the server. Disabling disabled some built in protections. Either way also use the Anti Cross site scripting libraries GetSafeHtmlFragment. By allowing html you can open yourself up to a cross site scripting attack. See my talk here to understand the issues:
http://channel9.msdn.com/Events/TechEd/NorthAmerica/2011/DEV333
In web.config find the following:
<pages validateRequest="true">
and change to:
<pages validateRequest="false">
I've seen this error before but cannot seem to get around it. In this case, I have an ASHX page spitting out a simple HTML form with a textbox into which XML may be posted. When I try to read the form, I receive the "A potentially dangerous Request.Form value...".
Since it's a generic handler the "ValidateRequest" attribute isn't available. However I already had this defined in web.config:
<location path="xml/MyGenericHandler.ashx">
<system.web>
<pages validateRequest="false" />
</system.web>
</location>
This snippet predates a move from .NET 3.5 to 4.0 so I'm guessing that's where the breakage originated.
Any idea how to get around this error for ASHX pages?
The 3.5-4.0 change that clipped you was some stepped up runtime security features for ASP.NET 4.0. The quick fix is to apply the following attribute:
<httpRuntime requestValidationMode="2.0" />
Unfortunately, that opens all pages up to 2.0 request validation, so I'd only do this if you've got a relatively small attack surface.
While not a direct answer to your question, I would say to read this previous post. it does give you a way to ensure that the error is not thrown. It's a risky way in one sense, because it means turning off a basic protection. However, the answer is well-reasoned, and the it clearly states that you should only implement it when you're absolutely sure you're encoding all output.
A potentially dangerous Request.Form value was detected from the client
As a side note, I would also recommend using the Microsoft Anti-Xss Library rather than the built in Server.HtmlEncode functions.
However, if you can modify the ashx, a simpler solution would be to just modify the error code and add an "if" statement to not log errors if the error message contains the string you want to filter.
You'd better disable validation for you handler page only:
<location path="MyGenericHandler.ashx">
<system.web>
<!-- requestValidationMode is to avoid HTML-validation of data posted to the handler -->
<httpRuntime requestValidationMode="2.0"/>
</system.web>
</location>
Or use this property from within your handler to avoid triggering the exception:
context.Request.Unvalidated.Form
.NET 4 broke ValidateRequest=“false” for some reason.
The solution is -- just put <httpRuntime requestValidationMode="2.0" /> into your web.config file.
The problem with that solution is that it breaks support for .NET 2.0!
IIS refuses to accept unknown attributes in web.config. Also I don't like the all or nothing nature of this.
Can I set requestValidationMode (or in some other way disable request validation) for a single page that needs it? Without breaking backwards compatibility of web.config with 2.0?
I can confirm that the approach of adding validateRequest="true" to the web.config file works and it is marvellous!
Using this makes the page-level directives work correctly again and it avoids the need to change the behaviour back to the ASP.Net2.0 mode.
Strange that it has any effect, seeing as request validation is normally enabled by default anyway, but no matter.
if you are using .net4 then add this line to web config
<pages validateRequest="false">
and no need to use <httpRuntime requestValidationMode="2.0" /> at all
OK, looks like this can't be done and I can just escape the data easily, but I think this was a legitimate question -- at least to make a note here that this can't be done.
I found a better way, I think. I didn't like the option of reverting back to a 2.0 setting while in 4.0. I also don't like the all or none option.
I played around with a few things and I have at least in my mind a practical solution.
By default all pages are validated regardless of the page directive of "ValidateRequest="false"
I found where to make this setting in the web.config in the system.web section called pages.
(http://msdn.microsoft.com/en-us/library/system.web.configuration.pagessection.validaterequest.aspx)
If the validateRequest attribute is added into the pages element you can control the validation for the whole site.
But I stumbled across a happy thing while testing this. I couldn't find docuementation for this, but here is what I've experienced.
By default validation is turned on everywhere, but if I set the validateRequest to "true" my individual page directives work as they did in 2.0. I don't know why, but I'm happy.
So in summary...
Set the validateRequest to true.
Like here.
Then any page directives work for that validation.
I just put this in my web.config in the system.web node.
<httpRuntime requestValidationMode="2.0" />