Explanation from here
To prevent some script-injection attacks , with request validation turned off, you need to HTML encode the content of other controls on the form.
Content can be easily HTML-encoded on the server using the Server.HtmlEncode(string) API. Content can also be easily HTML-decoded, that is, reverted back to standard HTML using the Server.HtmlDecode(string) method.
A potentially dangerous Request.Form value was detected from the client – ASP.NET 4.0
Sunday, September 26, 2010 Posted by Suprotim Agarwal
If you happen to upgrade your .NET Framework to use the .NET 4.0 CLR's version of ASP.NET, then it helps keeping the ASP.NET 4.0 breaking changes document handy.
After the upgrade, most of the users using the Rich-text editors or textboxes to submit HTML data, encounter the following error “Exception type: System.Web.HttpRequestValidationException Exception message: A potentially dangerous Request.Form value was detected from the client“
Now we know about the request validation feature in ASP.NET that shields cross-site scripting (XSS) attacks to a certain level. However this level of security changes in ASP.NET 4.0 making it stricter in terms of request validation.
As given in the documentation “In ASP.NET 4, by default, request validation is enabled for all requests, because it is enabled before theBeginRequest phase of an HTTP request. As a result, request validation applies to requests for all ASP.NET resources, not just .aspx page requests. This includes requests such as Web service calls and custom HTTP handlers. Request validation is also active when custom HTTP modules are reading the contents of an HTTP request”
To fix this error, open your web.config and add the following setting inside
<system.web>
<httpRuntime requestValidationMode="2.0" />
... rest of your attributes come here
The
Solution from HERE
A potentially dangerous Request.Form value was detected from the client (remarks="
Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.
Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (remarks="5678,
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below. |
Stack Trace:
[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (remarks="
|
Version Information: Microsoft .NET Framework Version:2.0.50727.4016; ASP.NET Version:2.0.50727.4016
… which is nice by default, but in some situations where you want people to be able to enter markup of some kind you want to be able to disable this. There are several ways.
WebForms – Per Page
This is a matter of adding the ValidateRequest property to the page directive per page:
<%@ Page Language="c#" … ValidateRequest="false"%>
WebForms -Globally
To turn off validation (which is not recommended unless you need to and know the consequences) is doen by editing the Web.config file’s pages element and adding the validateRequest attribute as shown below:
: validateRequest="false" /> :
MVC – Action
To prevent this error in MVC you can do it per action by applying the ValidateInputAttribute to the action method.
[AcceptVerbs(HttpVerbs.Post)] [ValidateInput(false)] public ActionResult EditMyEntity(string newValue) { : }