.NET 4.0, HTML, and A potentially dangerous Request.Form value

08 April 2010

validation I ran across a breaking change tonight in the .NET 4.0 CLR's version of ASP.NET.  The 4.0 version of the CLR binds to any HTTP request data to validate against.

The entire error you may see is:

A potentially dangerous Request.Form value was detected from the client

This is because 4.0 now inspects all request data.  Rather that being the cookies, urls, headers, etc.  A very nice security upgrade, I might say.  This will prevent a hacker from submitting malicious code through cookies or other means that you may be parsing.

WYSIWYG and/or HTML Editors with .NET 4.0's CLR

One common issue that immediately creeps up with this new security is when you want to use a rich-text editor or even a textbox that you want to submit HTML data through.  This seems to be now impossible with .NET 4.0's CLR's default validation because you cannot override this behavior, if you remain in 4.0's validation.

And no, there is no way to selectively disable which items to validate.

ASP.NET MVC's ValidateInput attribute does not work

You, like me, most likely just slapped a big ol' fat [ValidateInput] attribute on your MVC controller's action method and thought you were done.  But behold, the error still remains!

This is because your MVC website is running on the .NET 4.0 CLR and therefore continues to be validated.

The Fix: HttpRuntime requestValidationMode

The work-around is to place this into your web.config's <system.web> node:


<httpRuntime requestValidationMode="2.0" />

What this does is it forces the CLR to only check the Page's html fields, which you can now overwrite with the [ValidateInput] attribute in MVC controllers, or the <%@ Page validateRequest="false" %>, or any other normal means.

Sadly though, this also disables all of those other checks for the request data.  Obviously, this is not a preferred work-around and even though VS 2010 is due for release on April 12th (just around the corner!), I do not see any notations of this being changed anytime soon.

If someone knows a work around for 4.0, please let me know.  This is a great new feature, but sadly we must disable it for just about any website we develop on.

Unless we move to MarkDown that is (which I am a big fan of, clients not so much…).

You can find out more information about this over at MSDN

 
Reader's Comments
 
ASP.NET MVC Archived Blog Posts, Page 1 said:
13 April 10 1:10 AM

PingBack from http://aspdotnetmvc.com/blogs/default.aspx

 
David Holt said:
29 April 10 2:51 PM

When I added this tag to my system.web section, I got the following error:  The value of the property 'requestValidationMode' cannot be parsed. The error is: Version string portion was too short or too long.

Changing the value of requestValidationMode to "2.0" did the trick.

 
Ross McLoughlin said:
20 July 10 12:49 PM

I just spent the last 2 hours trying to figure this one out.  Thank you so much for taking the time to write this blog post.

Ross

 
Arkady Bron said:
11 August 10 5:49 PM

I too have been trawling the net and my code for several hours trying to find the solution to this problem. I have read the <httpRuntime requestValidationMode="2.0" /> workaround several times this evening but your blog is the only one to actually specify where in the web.config file it needed to go.

Thank you so much.

 
Eric A. Duncan said:
11 August 10 6:31 PM

@Arkady: Cool!  Yeah, sorry my SEO didn't rank it up higher for you to find earlier.  :)

Thanks!

 
Robert Gonzalez said:
27 August 10 10:56 PM

And a few hours of fruitless debugging has now come to an end!  Thanks for the post, it worked perfectly for me!

 
Peter said:
07 October 10 12:36 AM

Ridiculous that there's no selective way to use it in .NET 4.0.

 
Rick Roth said:
14 October 10 4:47 PM

THANK YOU!

Struggled with this for some time now.

 
Andy West said:
06 November 10 11:14 PM

Any news on this?  The requestValidationMode workaround feels kludgy to me as well.

I'm using Textile because Markdown isn't powerful enough for what I'm doing, but Textile allows raw HTML which obviously causes problems.

 
Eric A. Duncan said:
06 November 10 11:16 PM

@Andy:

I haven't been able to see any other way myself so far in .net 4.0.  :(

 
Mandi Swanson said:
11 April 11 5:14 PM

After upgrading our CMS website to .NET Framework 4.0 last week and making adjustments to UrlScan.ini with no success at fixing this issue, I opted to just change back to using .NET Framework 3.5. Not a "fix" in my opinion, but I have about 100 people responsible for updating different sections of a website, and couldn't keep preventing them from making updates for too long. Thanks for posting this blog. I'm looking forward to seeing updates to this one.

 
KidFischer said:
19 September 11 8:04 PM

If you do not want to open up your app fully to raw HTML vulnerabilities, you can customize ASP.NET request validation behavior. you do this by writing a class that inherits from RequestValidator then set the requestValidationType attribute of the httpRuntime element in your web.config to the class that you created

 
Steve said:
02 May 12 8:21 AM

Thank you for this info!

 
Bradley said:
02 August 12 10:09 AM

Thank you very much for posting this, you have just saved me hours of frustration.. Hero

 
Eric A. Duncan said:
02 August 12 1:07 PM

@Bradley and @Steve:

No problem guys.

 
Venkat said:
24 February 13 12:06 PM

Instead of disbling this nice feature for the entire site, we can disable for the certain pages

<location path="MyFolder/.aspx">

   <system.web>

     <pages validateRequest="false" />

     <httpRuntime requestValidationMode="2.0" />

   </system.web>

</location>

 
Eric A. Duncan said:
25 February 13 12:22 PM

@Venkat:

Interesting approach.  I'll try that next time.

Leave a Comment
Comment Policy: HTML is not allowed. Links and line breaks are converted automatically.
(required) 
(optional)
(required) 

 


  
Enter the anti-spam code you see above (required)

 

Comment Notifications
Subscribe to this post's comments using RSS

If you would like to receive an email when updates are made to this post, please register here