CODEWITHSUNDEEP
asp.netvalidationashxgeneric-handlerdangerous-request
roufamatic
roufamatic

Reputation: 18485

"Potentially Dangerous Request.Form" Exception in a generic handler

I've seen this error before but cannot seem to get around it. In this case, I have an ASHX page spitting out a simple HTML form with a textbox into which XML may be posted. When I try to read the form, I receive the "A potentially dangerous Request.Form value...".

Since it's a generic handler the "ValidateRequest" attribute isn't available. However I already had this defined in web.config:

<location path="xml/MyGenericHandler.ashx">
    <system.web>
      <pages validateRequest="false" />
    </system.web>
</location>

This snippet predates a move from .NET 3.5 to 4.0 so I'm guessing that's where the breakage originated.

Any idea how to get around this error for ASHX pages?

Upvotes: 3

Views: 3906

Answers (3)

user626528
user626528

Reputation: 14399

You'd better disable validation for you handler page only:

  <location path="MyGenericHandler.ashx">
    <system.web>
      <!-- requestValidationMode is to avoid HTML-validation of data posted to the handler -->
      <httpRuntime requestValidationMode="2.0"/>
    </system.web>
  </location>

Or use this property from within your handler to avoid triggering the exception:

context.Request.Unvalidated.Form

Upvotes: 0

Wyatt Barnett
Wyatt Barnett

Reputation: 15673

The 3.5-4.0 change that clipped you was some stepped up runtime security features for ASP.NET 4.0. The quick fix is to apply the following attribute:

<httpRuntime requestValidationMode="2.0" />

Unfortunately, that opens all pages up to 2.0 request validation, so I'd only do this if you've got a relatively small attack surface.

Upvotes: 6

David
David

Reputation: 73554

While not a direct answer to your question, I would say to read this previous post. it does give you a way to ensure that the error is not thrown. It's a risky way in one sense, because it means turning off a basic protection. However, the answer is well-reasoned, and the it clearly states that you should only implement it when you're absolutely sure you're encoding all output.

A potentially dangerous Request.Form value was detected from the client

As a side note, I would also recommend using the Microsoft Anti-Xss Library rather than the built in Server.HtmlEncode functions.

However, if you can modify the ashx, a simpler solution would be to just modify the error code and add an "if" statement to not log errors if the error message contains the string you want to filter.

Upvotes: 1

Related Questions