Thursday, June 10, 2010

ValidateRequest="false" not working in .Net 4.0 (VS.Net 2010)

Recently I have migrated one of my project from .Net 3.5 to .Net 4.0, In other words from .Net 3.5 Project in VS.Net 2008 to .Net 4.0 Project in VS.Net 2010, and I have noticed suddenly my project started giving following error.

Error: System.Web.HttpRequestValidationException
A potentially dangerous Request.Form value was detected from the client (ctl00$CC$txtAnswer=\"... World\r\n\r\nI am doing Testin...\")."} System.Web.HttpRequestValidationException



at System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection)
   at System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, RequestValidationSource requestCollection)
   at System.Web.HttpRequest.get_Form()
   at System.Web.HttpRequest.get_HasForm()
   at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull)
   at System.Web.UI.Page.DeterminePostBackMode()
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest()
   at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context)
   at System.Web.UI.Page.ProcessRequest(HttpContext context)
   at ASP.displaypost_aspx.ProcessRequest(HttpContext context) in c:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\a37c2f81\cfc4c927\App_Web_i2rujncl.9.cs:line 0
   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Cause of this error in .Net 4.0 or while working with VS.Net 2010, .Net 4.0 Project
In ASP.NET 4, by default, request validation is enabled for all requests, because it is enabled before the BeginRequest phase of an HTTP request. As a result, request validation applies to requests for all ASP.NET resources, not just .aspx page requests. This includes requests such as Web service calls and custom HTTP handlers. Request validation is also active when custom HTTP modules are reading the contents of an HTTP request.

Solution for ValidateRequest="false" Issue in .Net 4.0

To revert to the behavior of the ASP.NET 2.0 request validation feature, add the following setting in the Web.config file:
<system.web>
<httpRuntime requestValidationMode="2.0" />
</system.web>

10 comments:

arvi said...

Doesn't work for me. Apparently the "requestValidationMode" attribute is not allowed.

Unknown said...

Worked for me in 4.0 you ROCK!!!! I have been fighing with this for days...

Anonymous said...

Doesn't work for me. I get this message:

HTTP Error 500.19 - Internal Server Error
The requested page cannot be accessed because the related configuration data for the page is invalid.

Apparently the problem is in this line:



Possibly this is not valid in 2.0 mode.

I have ValidateRequest="false" for the page, and I still get a HttpRequestValidationException.

Why?

Bugs said...

@jim

There's already an element in the BE web.config file. So if you remain at .NET 4.0 (if you're at 4.0), then you would just want to add requestValidationMode="2.0" as a new attribute to the existing tag.

Anonymous said...

Cheers,

Worked for me.

Unknown said...

Holy !@$&....this worked for me. I have been searching for this answer for 3 hours...

Thanks a TON!!

Unknown said...

Worked perfectly! Been struggling with this all morning. Thanks!

Alice in Wonderland said...

Hey thanks tht worked pretty well.

Steve Kennaird said...

Worked for me, thanks!

Don said...

Hey Thanks It worked for me very well

Most Recent Post

Subscribe Blog via Email

Enter your email address:



Disclaimers:We have tried hard to provide accurate information, as a user, you agree that you bear sole responsibility for your own decisions to use any programs, documents, source code, tips, articles or any other information provided on this Blog.
Page copy protected against web site content infringement by Copyscape