I'm using ASP.NET WebForms (.NET 4.5) and have an "content block" control, which is reused on a number of pages. I've tried setting the ValidateRequestMode of the control and even individual elements to "Disabled", but the request validation coming from web.config still prevents unsafe input.

Is there a way around this or am I doing something wrong?

Example:

I just solved this same problem for a site with the code below, after a morning of trial and error - Microsoft's documentation on the new Request Validation process seems to be wrong when it comes to WebForms.

Target .NET 4.5 in the web.config like this:

<httpRuntime targetFramework="4.5" requestValidationMode="4.5" />

And then adding ValidateRequestMode="Disabled"to the input controls themselves i.e.:

<asp:textbox id="myControl" runat="server" ValidateRequestMode="Disabled"/>

If you are accessing POST data directly (as opposed to via myControl.Text) You will also need to bypass validation at that point:

Request.Unvalidated.Form("myControl");

Agree with Jason Elkin.

As a supplement, after setting ValidateRequestMode="Disabled" on Control level, in server-end, whenever accessing to Request , you have to visit Request.Unvalidated to get the value.

This answer extends @Jason Elkin's answer above to .NET Framework 4.8 and limiting the scope of its relaxed security to a specific directory. As previously reported, ValidateRequestMode="Disabled" by itself did not work for me. What did work was inserting the following into my ASP.NET application project Web.config file:

  <location path="pages/ajax">
    <system.web>
      <!-- enable AJAX -->
      <xhtmlConformance mode="Strict" />
      <!-- this allows HTML content to post back when control's ValidateRequestMode="Disabled" -->
      <httpRuntime targetFramework="4.8" requestValidationMode="4.8" />
    </system.web>
  </location>

where "pages/ajax" is the relative path from the web.config directory to the directory that contains the web forms that post HTML input.