In this article I will explain with an example, how to resolve the following error when you try to submit HTML content to server in ASP.Net.
A potentially dangerous Request.Form value was detected from the client (TextBox1”=<p>Hello</p>”).
Error
The following error occurs when ValidateRequest is set to TRUE and user tries to submit HTML content to server. This error comes since ASP.Net tries to protect the application from Script Attacks.
Server Error in 'ASP.Net' Application.
A potentially dangerous Request.Form value was detected from the client (TextBox1"=<p>Hello</p>").
Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.
Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (TextBox1="<p>Hello</p>").
Cause
By default, all input controls in ASP.Net are validated for potentially unsafe contents that can lead to Cross Site Scripting and SQL Injection attacks.
The ValidateRequest setting which by default is TRUE which disallows malicious content by throwing the above Exception.
Hence it is recommended to allow the ValidateRequest setting to TRUE so that validation is performed on each Request in ASP.Net.
Solution
On some occasions, due to requirement one has to POST HTML content. Example using Rich Text Editors such as
TinyMCE,
HtmlEditorExtender, etc.
For such cases the above exception can be suppressed by setting the ValidateRequest to FALSE in the following ways.
1. At Page level using @Page Directive [RECOMMENDED]
The ValidateRequest setting can be set to FALSE in the @Page Directive. Disabling the ValidateRequest setting in @Page Directive will disable it only for the specific Page.
<%@ Page Language="C#" AutoEventWireup="true" ValidateRequest="false" %>
2. In Web.Config
The ValidateRequest setting can be disabled for complete application by setting it to FALSE in the System.Web section of Web.Config as shown below.
<pages validateRequest="false" />
For .Net 4.0 or higher frameworks, the following setting also needs to be added along with the above setting in the System.Web section of Web.Config.
<httpRuntime requestValidationMode="2.0" />