A potentially dangerous Request.Form value was detected…

In response to my post Why runat="server" for ASP.NET?, Talbott Crowell of Microsoft National Services tried to post the following comment:

I understand your point, but the importance of [runat="server"] is more for consistancy and extensibility. If the developer has to mark some tags some ways (ie an [<asp:] prefix) and in other cases using runat, then it creates more confusion. Also, this simplifies what is sent directly to the user agent as a Response.Write and what needs to be parsed by the ASP.NET engine. What if some user agent of the future has a name collision with one of the ASP.NET tags, it would be difficult otherwise to tell ASP.NET to ignore a tag.

However he got an error. After I set <customErrors mode="Off"/> he was able to provide me with the following error information:

Server Error in '/Mikes' Application.
--------------------------------------------------------------------------------

A potentially dangerous Request.Form value was detected from the client (_ctl2:comment="...s (ie an [<asp:] prefix) and i...").

Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (_ctl2:comment="...s (ie an [<asp:] prefix) and i...").

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (_ctl2:comment="...s (ie an [<asp:] prefix) and i...").]
System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName) +230
System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName) +99
System.Web.HttpRequest.get_Form() +113
System.Web.UI.Page.GetCollectionBasedOnMethod() +69
System.Web.UI.Page.DeterminePostBackMode() +47
System.Web.UI.Page.ProcessRequestMain() +2106
System.Web.UI.Page.ProcessRequest() +216
System.Web.UI.Page.ProcessRequest(HttpContext context) +18
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute() +179
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +87

--------------------------------------------------------------------------------

Version Information: Microsoft .NET Framework Version:1.1.4322.573; ASP.NET Version:1.1.4322.573

Talbot thinks it was the "<asp:" that caused the error. I don’t have the skills yet to debug this reasonably quickly in the dasBlog code; does anyone know?

Also, I don’t mean to look a gift horse in the mouth, but isn’t this something dasBlog should handle more gracefully? (i.e. I’m not faulting a program that is free, but instead discussing what would be the ideal design.) Or not because of it being a potential security hole?

As for Talbot’s response to my original question, I’ll post a clarification next to my question next.

6 Replies to “A potentially dangerous Request.Form value was detected…”

  1. This hapend when input or select element has value
    starting with "<", so it can be interpreted as hacking …
    Solution:
    if not removing values staring with "<" (I like something like "<select value>" then try this
    Disable request validation by the adding the attribute ValidateRequest="false" to the @ Page directive.
    It is on beging of aspx page, staring with
    <%@ Page Language …
    Example:
    <%@ Page Language="C#" AutoEventWireup="true" ValidateRequest="false" CodeFile="Pandora.aspx.cs" Inherits="PandoraPage" %>

  2. Greetings,

    What is the most reliable web hosting company?

    I’m need to build a web site for my supervisor.

    thank you in advance,

    -Michelle

  3. Description: Request Validation has detected a potentially dangerous client input value, and processing of the request
    has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site
    scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the
    configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.

    Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was
    detected from the client
    hello …”).

    This could easily be fixed

    just add validateRequest=false in the top most line @ Page

    http://muruganad.com/ASP.NET/_System.Web.HttpRequestValidationException_A_potentially_dangerous_Request.Form_value_was_detected_from_the_client_.html

    Thanks!
    Murugan Andezuthu Dharmaratnam

  4. When I first moved from VS.NET 2002 to VS.NET 2003, I got bit by this. I need to get input with some html tags. The error was:

    System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client

    This is simply the ASP.NET built in validator that checks to make sure people do not enter html format tags that could be used in scriptting attacks. That is great and will keep millions of forms safe automatically. But you need to get around it at times.

    You can use shut it of for a single page by including:

    validateRequest=”false”

    in your page header or you can change it for the entire site by adding an option in your web.config:

    REMEMBER, when you shut this off, every input has the potential to allow scripting attacks, so be careful!

    For more information:

    http://www.asp.net/faq/RequestValidation.aspx

Leave a Reply to Zahed Cancel reply

Your email address will not be published.