In this article I will explain, how to resolve the error A potentially dangerous Request.Form value was detected from the client in ASP.Net.
The error exception A potentially dangerous Request.Form value was detected from the client occurs when ValidateRequest is set true and someone tries to submit HTML content to server example <a>Hello</a>. This error comes since ASP.Net tries to protect the application from Script Attacks.
The following error occurs when you try to submit HTML content to server.
Server Error in 'ASP.Net' Application.
A potentially dangerous Request.Form value was detected from the client (TextBox1"=<p>Hello</p>").
Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.
Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (TextBox1="<p>Hello</p>").
By default, all input controls in ASP.Net are validated for potentially unsafe contents that can lead to Cross Site Scripting and SQL Injection attacks.
The ValidateRequest setting which by default is TRUE disallows malicious content by throwing the above Exception.
Hence it is recommended to allow the ValidateRequest setting to TRUE so that validation is performed on each Request in ASP.Net.
On some occasions, due to requirement one has to POST HTML content. Example using Rich Text Editors such as TinyMCE, HtmlEditorExtender, etc..
For such cases the above exception can be suppressed by setting the ValidateRequest to FALSE in the following ways.
1. At Page level using @Page Directive [RECOMMENDED]
The ValidateRequest setting can be set to FALSE in the @Page Directive. Disabling the ValidateRequest setting in @Page Directive will disable it only for the specific Page.
This will disable the validation of requests for the page you have set theValidateRequest setting to FALSE.
<%@ Page Language="C#" AutoEventWireup="true" ValidateRequest="false" %>
2. In Web.Config
The ValidateRequest setting can be disabled for complete application by setting it to FALSE in the System.Web section of Web.Config as shown below.
<pages validateRequest="false" />
For .Net 4.0 or higher frameworks, the following setting also needs to be added along with the above setting in the System.Web section of Web.Config.
<httpRuntime requestValidationMode="2.0" />