Reputation: 1030

How to disable application request validation in asp.net

I want to be able to save things like:

<script src="https://spreadsheets.google.com/gpub?url=http%3A%2F%2Foj0ijfii34kccq3ioto7mdspc7r2s7o9-ss-opensocial.googleusercontent.com%2Fgadgets%2Fifr%3Fup_title%3DBrands%26up_initialstate%26up__table_query_url%3Dhttps%253A%252F%252Fspreadsheets.google.com%252Fspreadsheet%252Ftq%253Frange%253DA%25253AE%2526key%253D0AqFjLMbUaBn_>

In an nvarchar(max) field, I get the following when I try to insert:

"Server Error in '/TheScienceAndArtOfDataVisualization' Application. A potentially dangerous Request.Form value was detected from the client (ctl00$MainContent$txtCode="<script src="https:/...")."

Upvotes: 0

Answers (4)

Adam Tuliper

Reputation: 30152

Please try not to disable this. HtmlEncode your results before you send them to the server. Disabling disabled some built in protections. Either way also use the Anti Cross site scripting libraries GetSafeHtmlFragment. By allowing html you can open yourself up to a cross site scripting attack. See my talk here to understand the issues:

http://channel9.msdn.com/Events/TechEd/NorthAmerica/2011/DEV333

Upvotes: 0

Brandon

Reputation: 69993

DeadYCool's answer will work if you want to disable request validation on all pages, if you just want to disable it on a specific page, you can set ValidateRequest="false" in the Page directive of the .aspx file.

<%@ Page ValidateRequest="false"...

Upvotes: 3

n8wrl

Reputation: 19765

If you're using ASP.NET 4.0 you may also have to make a change to web.config:

<configuration>
  <system.web>
    <!-- Sad requirement to allow ValidateRequest="false" -->
    <httpRuntime requestValidationMode="2.0" />

But it should be avoided if possible.

Upvotes: 1

WojtekT

Reputation: 4775

In web.config find the following:

<pages validateRequest="true">

and change to:

<pages validateRequest="false">

Upvotes: -2

How to disable application request validation in asp.net

Answers (4)

Related Questions