Disabling ASP.NET Request Validation (for just one page) in a .NET 3.5 project hosted on IIS 7.5 with only .NET 4.0 installed

Asked 6/5, 2011 at 11:16 Answered 26/11, 2015 at 14:58

Solved asp.net iis-7 webforms request-validation

I'm having a problem with request validation in ASP.NET webforms that I am fairly sure is down to me hosting a .NET 3.5 project on IIS 7.5 (Windows 7 - local development machine).

Essentially I'm receiving a postback from an external site (that is entirely outside of my control) and receiving the following exception:

A potentially dangerous Request.QueryString value was detected from the client (DATA="<IDP MSGTYPE="Authen...").

I've got this set in the page declaration:

<%@ page language="C#" autoeventwireup="true" inherits="postexternal" enableviewstate="false" masterpagefile="~/SiteBase/transactional.master" Codebehind="postexternal.aspx.cs" validaterequest="false" %>

(and additionally I've tried turning it off in web.config/page as well - to no avail.

I think that this may be to do with a breaking change made in (what MS say) ASP.NET 4.0, as described here: http://www.asp.net/learn/whitepapers/aspnet4/breaking-changes#0.1__Toc256770147

But if I add that configuration into my web.config I get a configuration error (as its running in a .NET 2.0 application pool).

Whichever way I look I'm stuck at the moment so would appreciate any pointers/advice people have. Is there anyway I can work around this any other way?). I could try to install .NET 2.0 but I'm not sure that is even going to work (and seems a pretty fragile method to try).

Thanks.

Hadleigh answered 6/5, 2011 at 11:16 Comment(2)

Not an answer, but FYI that if you have .Net 3.5 running, the .Net 2.0 runtime and libraries are already installed. .Net 3.5 is basically just some extra DLLs added on top of .Net 2.0--it still used .Net 2.0 runtimes. .Net 4 however did finally get its own CLR (runtime) and runs in a separate process from .Net 2.0 stuff. – Sanborne 13/5, 2011 at 14:9

That appears to be the correct code. Have you checked that the IIS 7.5 application pool this site is using is indeed running in the .Net 2.0 runtime (.Net 3.5 uses the 2.0 runtime). Could the master page or some other code or filter be setting validaterequest back to true? Have you done a full recompile of the site to make sure files are up to date? Seems silly, but have you double-checked that the ASPX you think you set this on is the same one that is running? No URL redirections or anything? – Sanborne 13/5, 2011 at 14:13

I had this issue too and adding this to the web.config resolved the issue.

<httpRuntime requestPathInvalidCharacters="" />

By Default, .Net 4.0 rejects all requests with <>*%&:\? characters which may be causing the issue for you like it was for me.

[ConfigurationProperty("requestPathInvalidCharacters", DefaultValue=@"<,>,*,%,&,:,\,?")]
public string RequestPathInvalidCharacters { get; set; }

Spireme answered 5/11, 2011 at 0:46 Comment(1)

Hi, for me in local everything is working fine, on server it allows to post same HTML characters in all other pages, its not just working in single page... Please check my question here. #26880821 Any help would be appreciated. – Begga 12/11, 2014 at 6:37

You can find a solution on tihs page : https://msdn.microsoft.com/en-us/library/hh882339.aspx

or just update your web.config file after system.web tag with this :

</system.web>
<location path="MyPage.aspx">
    <system.web>
        <pages validateRequest="false" />
        <httpRuntime requestValidationMode="2.0" />
    </system.web>
</location>

Highway answered 26/11, 2015 at 14:58 Comment(0)

Recommended topics

Hot tags