A potentially dangerous Request.Form value was detected…

In response to my post Why runat="server" for ASP.NET?, Talbott Crowell of Microsoft National Services tried to post the following comment:

I understand your point, but the importance of [runat="server"] is more for consistancy and extensibility. If the developer has to mark some tags some ways (ie an [<asp:] prefix) and in other cases using runat, then it creates more confusion. Also, this simplifies what is sent directly to the user agent as a Response.Write and what needs to be parsed by the ASP.NET engine. What if some user agent of the future has a name collision with one of the ASP.NET tags, it would be difficult otherwise to tell ASP.NET to ignore a tag.

However he got an error. After I set <customErrors mode="Off"/> he was able to provide me with the following error information:

Server Error in '/Mikes' Application.
——————————————————————————–

A potentially dangerous Request.Form value was detected from the client (_ctl2:comment="…s (ie an [<asp:] prefix) and i…").

Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (_ctl2:comment="…s (ie an [<asp:] prefix) and i…").

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[HttpRequestValidationException (0×80004005): A potentially dangerous Request.Form value was detected from the client (_ctl2:comment="…s (ie an [<asp:] prefix) and i…").]
System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName) +230
System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName) +99
System.Web.HttpRequest.get_Form() +113
System.Web.UI.Page.GetCollectionBasedOnMethod() +69
System.Web.UI.Page.DeterminePostBackMode() +47
System.Web.UI.Page.ProcessRequestMain() +2106
System.Web.UI.Page.ProcessRequest() +216
System.Web.UI.Page.ProcessRequest(HttpContext context) +18
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute() +179
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +87

——————————————————————————–

Version Information: Microsoft .NET Framework Version:1.1.4322.573; ASP.NET Version:1.1.4322.573


Talbot thinks it was the "<asp:" that caused the error. I don’t have the skills yet to debug this reasonably quickly in the dasBlog code; does anyone know?

Also, I don’t mean to look a gift horse in the mouth, but isn’t this something dasBlog should handle more gracefully? (i.e. I’m not faulting a program that is free, but instead discussing what would be the ideal design.) Or not because of it being a potential security hole?

As for Talbot’s response to my original question, I’ll post a clarification next to my question next.

aspdotnet, customerrors, freetools, howto, runatserver