.NET 4.0, HTML, and a Potentially Dangerous Request.Form Value

Please note that this post was migrated to my new blog platform. There may be bad formating, broken links, images, downloads and so on. If you need an item on this page, please contact me and I will do my best to get it from my backups.


validation I ran across a breaking change tonight in the .NET 4.0 CLR’s version of ASP.NET.  The 4.0 version of the CLR binds to any HTTP request data to validate against.

The entire error you may see is:

A potentially dangerous Request.Form value was detected from the client

This is because 4.0 now inspects all request data.  Rather that being the cookies, urls, headers, etc.  A very nice security upgrade, I might say.  This will prevent a hacker from submitting malicious code through cookies or other means that you may be parsing.

WYSIWYG and/or HTML Editors with .NET 4.0’s CLR

One common issue that immediately creeps up with this new security is when you want to use a rich-text editor or even a textbox that you want to submit HTML data through.  This seems to be now impossible with .NET 4.0’s CLR’s default validation because you cannot override this behavior, if you remain in 4.0’s validation.

And no, there is no way to selectively disable which items to validate.

ASP.NET MVC’s ValidateInput attribute does not work

You, like me, most likely just slapped a big ol’ fat [ValidateInput] attribute on your MVC controller’s action method and thought you were done.  But behold, the error still remains!

This is because your MVC website is running on the .NET 4.0 CLR and therefore continues to be validated.

The Fix: HttpRuntime requestValidationMode

The work-around is to place this into your web.config’s <system.web> node:

<httpRuntime requestValidationMode="2.0" />

What this does is it forces the CLR to only check the Page’s html fields, which you can now overwrite with the [ValidateInput] attribute in MVC controllers, or the <%@ Page validateRequest="false" %>, or any other normal means.

Sadly though, this also disables all of those other checks for the request data.  Obviously, this is not a preferred work-around and even though VS 2010 is due for release on April 12th (just around the corner!), I do not see any notations of this being changed anytime soon.

If someone knows a work around for 4.0, please let me know.  This is a great new feature, but sadly we must disable it for just about any website we develop on.

Unless we move to MarkDown that is (which I am a big fan of, clients not so much…).

You can find out more information about this over at MSDN

> Revision History
> About the author