A potentially dangerous Request.Form

0
151
a-potentially-dangerous-request-form

A potentially dangerous Request.Form value was detected from the client |
CKEditor Error | FCKeditor1 | validateRequest=”false”

This is a typical error many times found by ASP.NET developers. In this post, we’ll see a few ways to stop it, both in Web Forms and in MVC. This error occurs mainly because HTML is found in the data submitted on the Web server. By default all inputs are reviewed for validation so that our web application has a simple defence against XSS attacks.

Error Description

ASP.NET has found potentially unsafe data in the request and it may contain the HTML markup or script. This explanation of the error implies any HTML markup or script entered which can be harmful for the server.

Cause

This error will come when you are using third paty tool like TinyMCE, ckEditor, etc. I am using CKEditor multiline text box. When i am sending any server request then i am geting this error “a potentially dangerous request.form value was detected“. If you click on any button or do some postback operation this error will come. 

Problem Details

ASP.Net input controls are checked by default for potentially inappropriate contents that may trigger Cross Site Scripting and SQL Injection attacks.

The ValidateRequest setting that is TRUE defaults to allow the above-mentioned exemption for malicious content.

The ValidateRequest setting in TRUE should then be required to allow validation on each ASP.Net request.

Solution

We can solve this problem at page level in web forms and using web config.

At Page Level

Simply write validateRequest = false in <% @ Page % > @ directive which is the first line of page aspx. To prevent validation of the submission, I made the following changes to the existing “page” directive in that .aspx file.

This will disable the validation of requests for the page you have set the ValidateRequest setting to FALSE.

<%@ Page Language="C#" AutoEventWireup="true" ValidateRequest="false" %>

Must Read SQL – https://kordinate.world/software-development/ms-sql/

At Application Level – In Web.Config

You can disable the ValidateRequest setting for full application by setting it to FALSE in the System.Web section of Web.Config as shown below.

<configuration> 
  <system.web> 
    <pages validateRequest="false" />  
    <httpRuntime requestValidationMode="2.0"/>
  </system.web> 
</configuration>

If your web application is an ASP.NET MVC project and you wish to prevent validation of the page for a particular view, you can apply this property to its controller

[Post, ValidateInput(false)]
public ActionResult XYZ(...) {
   //code
}

In MVC, you can explicitly specify the properties you wish to remove from the validation phase on your platform.

[HttpPost, ValidateInput(true, Exclude = "FieldName")]
public virtual ActionResult xyz(...)
{
//code
}

Another solution to enabling HTML content is to place at the Model.

[AllowHtml]
public string propertyName { get; set; }

Important Links

you can refer to following links which explains same issue “A potentially dangerous Request.Form

stackoverflow.comhttps://stackoverflow.com/questions/81991/a-potentially-dangerous-request-form-value-was-detected-from-the-client
c-sharpcorner.comhttps://www.c-sharpcorner.com/article/a-potentially-dangerous-request-form-value-was-detected-from-the-client/
ckeditor.comhttps://ckeditor.com/old/forums/FCKeditor-2.x/potentially-dangerous-Request.Form

Please follow and like us:

LEAVE A REPLY

Please enter your comment!
Please enter your name here