How to disable application request validation in asp.net

Question

I want to be able to save things like:

<script src="https://spreadsheets.google.com/gpub?url=http%3A%2F%2Foj0ijfii34kccq3ioto7mdspc7r2s7o9-ss-opensocial.googleusercontent.com%2Fgadgets%2Fifr%3Fup_title%3DBrands%26up_initialstate%26up__table_query_url%3Dhttps%253A%252F%252Fspreadsheets.google.com%252Fspreadsheet%252Ftq%253Frange%253DA%25253AE%2526key%253D0AqFjLMbUaBn_>

In an nvarchar(max) field, I get the following when I try to insert:

"Server Error in '/TheScienceAndArtOfDataVisualization' Application. A potentially dangerous Request.Form value was detected from the client (ctl00$MainContent$txtCode="<script src="https:/...")."

I tried to add the validateRequest="false" to the page I want to disable validation in it, it didn't work, I got the same error message! PS: I am using Visual Web Developer 2010 Express. — Maen
– Maen, Commented Jun 7, 2011 at 20:19

Brandon · Accepted Answer · 2011-06-07 19:55:18Z

3

DeadYCool's answer will work if you want to disable request validation on all pages, if you just want to disable it on a specific page, you can set ValidateRequest="false" in the Page directive of the .aspx file.

<%@ Page ValidateRequest="false"...

answered Jun 7, 2011 at 19:55

Brandon

70.3k32 gold badges201 silver badges227 bronze badges

Sign up to request clarification or add additional context in comments.

Comments

n8wrl · Accepted Answer · 2011-06-07 19:55:00Z

1

If you're using ASP.NET 4.0 you may also have to make a change to web.config:

<configuration>
  <system.web>
    <!-- Sad requirement to allow ValidateRequest="false" -->
    <httpRuntime requestValidationMode="2.0" />

But it should be avoided if possible.

answered Jun 7, 2011 at 19:55

n8wrl

19.9k4 gold badges70 silver badges106 bronze badges

Comments

Adam Tuliper · Accepted Answer · 2011-06-07 21:41:20Z

0

Please try not to disable this. HtmlEncode your results before you send them to the server. Disabling disabled some built in protections. Either way also use the Anti Cross site scripting libraries GetSafeHtmlFragment. By allowing html you can open yourself up to a cross site scripting attack. See my talk here to understand the issues:

http://channel9.msdn.com/Events/TechEd/NorthAmerica/2011/DEV333

answered Jun 7, 2011 at 21:41

Adam Tuliper

30.2k4 gold badges56 silver badges71 bronze badges

Comments

WojtekT · Accepted Answer · 2011-06-07 19:53:01Z

-2

In web.config find the following:

<pages validateRequest="true">

and change to:

<pages validateRequest="false">

answered Jun 7, 2011 at 19:53

WojtekT

4,77527 silver badges37 bronze badges

2 Comments

n8wrl Over a year ago

I really worry about offering this as a solution to a single page - this disables it for the whole site.

Maen Over a year ago

Same here, I don't wanna disable it site-wide!

Collectives™ on Stack Overflow

How to disable application request validation in asp.net

4 Answers 4

Comments

Comments

Comments

2 Comments

Your Answer

Hot Network Questions

Collectives™ on Stack Overflow

4 Answers 4

Comments

Comments

Comments

2 Comments

Your Answer

Sign up or log in

Post as a guest

Related