Friday, 4 April 2008

A potentially dangerous Request.Form value was detected from the client

This error is caused because the .NET framework detected HTML in an input control (e.g. TextBox). I've highlighted 3 possible ways to get round the issue, all with their advantages and disadvantages:

1. Add the following to the existing Page directive on the relevant pages.

ValidateRequest="false"

2. Add the following to the Web.config within the <system.web> section (globally disable request validation). This will allow users to enter HTML into controls which could be harmful or result in undesirable consequences.

<pages validateRequest="false" />

3. Unless you need users to be able to enter HTML into a form, make sure all HTML displayed in controls is encoded.

lblText.Text = HttpUtility.HtmlEncode( lblTest.Text );

No comments: