Validation exception even with ValidateRequest=“false”

Question

I have a textbox in a web form where an admin user can add HTML to be submitted for entry into the database.

In the past, I've always added ValidateRequest="false" to the Page when submitting HTML data to avoid validation error. However, with this website, even with ValidateRequest set to false, I'm getting the following error:

A potentially dangerous Request.Form value was detected from the client

I've heard this is to do with .NET 4 security, but this is an ASP.NET 3.5 application.

Why am I still getting this error?

Answer 1

RequestValidation has significant changes in .Net 4.0.

Take a lot at: http://msdn.microsoft.com/en-us/library/system.web.configuration.httpruntimesection.requestvalidationmode(VS.100).aspx

To solve your problem you have to set requestValidationMode to a value less than 4.0 in httpRuntime in weh.config like this:

<httpRuntime requestValidationMode="2.0" />

Answer 2

If you are nervous about setting the request validation back to .net 2 - just add a location flag to web config (along with setting ValidateRequestMode="Disabled" on the text box you want to allow special chars in). The location setting in web.config is like this:

  <location path="login.aspx">
    <system.web>
      <httpRuntime requestValidationMode="2.0" />
    </system.web>
  </location>

See excellent article, and comments, regarding this here: https://weblog.west-wind.com/posts/2010/Aug/19/RequestValidation-Changes-in-ASPNET-40