Potentially dangerous Request.Form value was detected from the client

Asked 31/5, 2012 at 17:46 Answered 1/7, 2014 at 10:5

asp.net-mvc exception httpwebrequest system.web

I am running an ASP.Net MVC application and facing the following error. As I am new to ASP.Net, could someone please help me as to what does it mean and how can I resolve it?

I tried googling to understand it, but found different answers for the same error which left me more confused.

Exception caught in Global.asax:System.Web.HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (ctl00$MainContent$WarningCtl1$TXTWarningText="
This is the warni..."). at System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) at System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, RequestValidationSource requestCollection) at System.Web.HttpRequest.get_Form() at System.Web.HttpRequest.get_HasForm() at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull) at System.Web.UI.Page.DeterminePostBackMode() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest() at System.Web.UI.Page.ProcessRequest(HttpContext context) at ASP.app_config_appttypes_groupappttypes_aspx.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Please suggest.

Irreclaimable answered 31/5, 2012 at 17:46 Comment(3)

Sounds like you're trying to accept HTML markup as part of your request. You have a WYSIWYG editor on the page or something? – Halftone 31/5, 2012 at 17:58

Have you tried adding the attribute [ValidateInput(false)] to your controller class? – Aymer 31/5, 2012 at 18:24

I am putting it in my web.config file as <pages theme="Admin" controlRenderingCompatibilityVersion="4.0" clientIDMode="AutoID" validateRequest="false"/> – Irreclaimable 31/5, 2012 at 18:33

You need to add the ValidateInputAttribute to your controller (which applies it to all of your action methods for that controller, so be careful):

[ValidateInput (false)]
public class MyController : Controller { ... }

Or your action method:

public class MyOtherController : Controller
{
    [ValidateInput (false)]
    public ActionResult MyActionMethod (MyObjectThatTakesInHtml myObject)
    { ... }
}

Edit

As @dotjoe pointed out, and I forgot to mention, you also have access to the AllowHtmlAttribute (found in System.Web.Mvc) on a property in your model.

public class MyObjectThatTakesInHtml
{
    [AllowHtml]
    public string MyHtmlProperty { get; set; }
}

Gaunt answered 31/5, 2012 at 18:30 Comment(9)

I am putting this in my web.config <pages theme="Admin" controlRenderingCompatibilityVersion="4.0" clientIDMode="AutoID" validateRequest="false"/> – Irreclaimable 31/5, 2012 at 18:31

don't forget about the AllowHtml attribute ;) – Noise 31/5, 2012 at 18:32

But still I am facing the issue after that... Does [ValidateInput(false)] work different than validateRequest="False" in web.config? – Irreclaimable 31/5, 2012 at 18:32

@Noise doh, forgot about that one. =D Thanks. – Denna 31/5, 2012 at 18:35

np, I think you can only use AllowHtml at the property level...so it'd be on the property inside the MyObjectThatTakesInHtml – Noise 31/5, 2012 at 18:36

hey by the way value for allowhtml should be true right... I am using vb.net and hence cannot use [allowhtml] tag... instead I would have to use this <AttributeUsageAttribute(AttributeTargets.Property, AllowMultiple := False, _ Inherited := True)> _ – Irreclaimable 31/5, 2012 at 18:37

How do you add it in vb.net? I am getting error for [allowhtml] – Irreclaimable 31/5, 2012 at 18:39

@Noise I'm on fire with this one, tried to toss that out in a hurry. Thanks for all the help and being a second set of eyes. – Denna 31/5, 2012 at 19:34

@tech_learning you just need to use VB.NET formatting instead of C# to decorate your code with attributes. – Denna 31/5, 2012 at 19:37

Encode at client level and decode it in Server Level

Steps

1.Post the form using jquery submit method.

in jquery button click event method encode field that you want to post to server. example

$("#field").val(encodeURIComponent($("#field").val())) $("#formid").submit();

In Controller Level access all form id value using

HttpUtility.UrlDecode(Request["fieldid"])

Make sure controller method dont have parameter.

Haplosis answered 1/7, 2014 at 10:5 Comment(0)

-1

MVC

Added attribute to action [ValidateInput(false)]

and confirm web.config setting in system.web

Reduplicative answered 28/2, 2014 at 16:5 Comment(0)

Recommended topics

Hot tags