ASP.NET Request Validation – Preventing Script Attacks

Yesterday I was working with self posting form that contained html characters as of a content management implementation using ASP.NET and I came across an error message I’d not seen from any application server. It said:

“A potentially dangerous Request.Form value was detected from the client..”

In short, as of ASP.NET 1.1, Microsoft is by default not allowing clients to post client script code or HTML to a form. As a developer, you have to either explicitly allow it for a page by including this:

<%@ Page validateRequest=”false” %>

in your ASP.NET page or by turning it off sitewide in the web.config file:

<configuration>
  <system.web>
    <pages validateRequest=”false” />
  </system.web>
</configuration>

Automatic request validation, in my humble opinion, is pretty nice. Way to go Microsoft. You can read more about this feature on the official ASP.NET site.

2 thoughts on “ASP.NET Request Validation – Preventing Script Attacks”

Leave a Reply

Your email address will not be published. Required fields are marked *