ValidateRequest=“false” and .NET 4 problem

Asked 18/6, 2010 at 20:46 Answered 8/7, 2018 at 12:55

.NET 4 broke ValidateRequest=“false” for some reason.

The solution is -- just put <httpRuntime requestValidationMode="2.0" /> into your web.config file.

The problem with that solution is that it breaks support for .NET 2.0!

IIS refuses to accept unknown attributes in web.config. Also I don't like the all or nothing nature of this.

Can I set requestValidationMode (or in some other way disable request validation) for a single page that needs it? Without breaking backwards compatibility of web.config with 2.0?

Spinach answered 18/6, 2010 at 20:46 Comment(9)

"It refuses to accept unknown attributes in web.config." What does this mean? When I put e.g. <authentication mode="Forms" blabla="5"> I get an error when I start the app ("unknown blabla attribute"), no matter if I set <httpRuntime requestValidationMode="2.0" /> or not. What is exactly the problem? – Ingratiating 18/6, 2010 at 22:47

the problem is that I can't have the same web.config for running under .NET 2 and .NET 4. – Spinach 19/6, 2010 at 0:44

@MK why you need to have the same configuration under NET2 and NET4 ???? I think that you try to do thinks that can not be done. – Heptad 19/6, 2010 at 5:55

@MK: I understand. But I think there is no way to have the same web.config for .NET 2 and .NET 4 with the same request validation behaviour. It breaks compatibility since it's a breaking change. Reason for this breaking change is improved default security, documented here: asp.net/learn/whitepapers/aspnet4/… – Ingratiating 19/6, 2010 at 16:49

@Heptad why not have the same configuration for NET2 and NET4? I have a product that requires .NET2 and works fine under .NET4 except for this little tiny thing. Why would I have 2 separate web.config files? How would my product know which one to use? I suppose it can detect during installation, but what if the user upgrades to .NET4 later for whatever reason? – Spinach 20/6, 2010 at 2:55

@MK you need to decide with witch platform you go and programming and make the tests etc. You can not go with both of them, you going to face problems like this one you have now, and maybe other and you simple can not find the reason. Stay with 2 if 4 have nothing to offer you. Its like to won to live in USA and is Europe in the same time. – Heptad 20/6, 2010 at 5:13

@Heptad Some people are still selling products, not building websites And when you sell a product you need to make sure that it works under as much scenarios as possible to minimize support costs. – Spinach 21/6, 2010 at 1:44

Consider reading this: hanselman.com/blog/… – Pleione 22/6, 2010 at 7:23

I upvoted this cause we are having the exact same problem – Globoid 26/8, 2010 at 2:24

OK, looks like this can't be done and I can just escape the data easily, but I think this was a legitimate question -- at least to make a note here that this can't be done.

Spinach answered 20/6, 2010 at 2:53 Comment(0)

I can confirm that the approach of adding validateRequest="true" to the web.config file works and it is marvellous!

Using this makes the page-level directives work correctly again and it avoids the need to change the behaviour back to the ASP.Net2.0 mode.

Strange that it has any effect, seeing as request validation is normally enabled by default anyway, but no matter.

Lollapalooza answered 3/7, 2012 at 10:16 Comment(0)

if you are using .net4 then add this line to web config

<pages validateRequest="false">

and no need to use <httpRuntime requestValidationMode="2.0" /> at all

Moat answered 8/7, 2018 at 12:55 Comment(0)

OK, looks like this can't be done and I can just escape the data easily, but I think this was a legitimate question -- at least to make a note here that this can't be done.

Spinach answered 20/6, 2010 at 2:53 Comment(0)

I found a better way, I think. I didn't like the option of reverting back to a 2.0 setting while in 4.0. I also don't like the all or none option.

I played around with a few things and I have at least in my mind a practical solution. By default all pages are validated regardless of the page directive of "ValidateRequest="false"

I found where to make this setting in the web.config in the system.web section called pages. (http://msdn.microsoft.com/en-us/library/system.web.configuration.pagessection.validaterequest.aspx)

If the validateRequest attribute is added into the pages element you can control the validation for the whole site.

But I stumbled across a happy thing while testing this. I couldn't find docuementation for this, but here is what I've experienced. By default validation is turned on everywhere, but if I set the validateRequest to "true" my individual page directives work as they did in 2.0. I don't know why, but I'm happy.

So in summary... Set the validateRequest to true. Like here.

Then any page directives work for that validation.

Objection answered 10/11, 2010 at 17:39 Comment(2)

Oh crap. I found that I had some other config issues that gave me a false positive on this one. I think you can pretty much ignore my rantings above except to maybe have a greater understanding of the web config pages section. – Objection 11/11, 2010 at 17:17

So after more work, I will humbly admit there is nothing that can be done to solve this problem other than setting the requestValidationMode="2.0". But I did set the validateRequest = "true" attribute in the pages section of the web config. Then on a page by page basis I can disable the validation. – Objection 11/11, 2010 at 21:56

-1

I just put this in my web.config in the system.web node.

<httpRuntime requestValidationMode="2.0" />

Bastion answered 18/6, 2010 at 21:2 Comment(2)

I guess that might mess up the 2.0 support then in your web.config though. – Bastion 18/6, 2010 at 21:3

Yes, that's what the question is about. It breaks 2.0. And it is blanket for entire app. – Spinach 18/6, 2010 at 21:20

Recommended topics

Hot tags