A potentially dangerous Request.Form value was detected

Question

I'm using a php script to http post some xml files to a .net URL.

When I submit I get the response:

A potentially dangerous Request.Form value was detected from the client (<?xml version="...UTF-8"?> <!DOCTYPE cXML SYSTE..."). Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.

As I'm not using .NET I can't set ValidateRequest="false" in web.config.

Do I need to sanitize my xml before submitiing? How can I do this?

Answer 1

On MVC, put below on post

[HttpPost, ValidateInput(false)]
public ActionResult PostMethod(Model viewModel)

Answer 2

If you use ASP.NET 4.0, except for setting in page

<%@ Page ValidateRequest="false" />

add in web.config

<httpRuntime requestValidationMode="2.0" />

This should help

Answer 3

XML or anything that "looks like" it, is considered dangerous by default, as a reasonable way to block XSS attacks on something expecting plaintext content.

The problem is with the resource you are submitting to, not with your code, file a bug or tech-support request with them.

Answer 4

It's intriguing that you can see the full error, but are not capable of accessing the ASP.NET code. Normally, one can only see the full error when in debug mode, because in production, the error-setting is (should be) RemoteOnly or Off. This seems a configuration mistake and a potential risk on the side of the ASP.NET site.

You say "to http post some xml files". If you were indeed posting files, you wouldn't receive this response. Maybe you can contact the site's owner and ask for him to change the form to allow file-input.

You can change your input such that it doesn't look like XML anymore, but then it isn't XML anymore either. I.e., change all < in < and you'll be able to get your data through, but it must be unescaped when processed.

If this site is supposed to accept XML, it must be changed to accept XML. Either it should accept files, or it should accept HTML/XML input by turning ValidateRequest to off. If it is not supposed to receive XML, there's little you can do. It's like filling in a bank's payment form by putting letters in the amount-field: it just won't work (unless it was designed to work that way).

Answer 5

You need to set ValidateRequest="false" in the page that's receiving the XML, not in the page that's sending it. If you don't have any access to the page that you're passing the XML to, then you'll need to find another way to pass the data, or transform it into another format first as pretty much anything that looks like HTML will cause an asp.net page to trigger this warning.