ASP.NET 4.0 change to RequestValidation

less than 1 minute read

So you have upgraded a web application from .NET 2.0 to .NET 4.0 or higher and now you are getting errors that say there is a potentially dangerous request.:

System.Web.HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (ctl00$Body$ucSettings$tbText="<Settings><TypeID>10...").
at System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection)
at System.Web.HttpRequest.ValidateHttpValueCollection(HttpValueCollection collection, RequestValidationSource requestCollection)

And you specifically allow <> tags in your control by setting the ValidateRequest=”false” on the page? Well this would be because a change in .NET 4.0 makes it so this settings isn’t enough. Now you have to add the following to the web.config to revert Request Validation back to 2.0:

<system.web>
     <httpRuntime requestValidationMode="2.0" />
</system.web>

Remember not to duplicate your tags. If you want to do this just for a specific page you can also do this:

<location path="[PageRequiring].aspx">
     <system.web>
         <httpRuntime requestValidationMode="2.0" />
     </system.web>
</location>

Remember though, that if you disable Request Validation, you should have some other means programmed in to validate the incoming data.