LOGIC Library

This site is the Logic involvement in sharing expertise and skills acquired in daily work. The goal is to create a solid knowledge base and share best practices in software development and systems management.

More info about us can be found on logicsistemi.it.

A potentially dangerous Request.Form value was detected from the client

In ASP.NET, we could encounter the following error: A potentially dangerous Request.Form value was detected from the client. In this article, we understand what it exactly means and how to solve it.

The error is followed by a description similar to this:

Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. To allow pages to override application request validation settings, set the requestValidationMode attribute in the httpRuntime configuration section to requestValidationMode="2.0". Example: <httpRuntime requestValidationMode="2.0" />. After setting this value, you can then disable request validation by setting validateRequest="false" in the Page directive or in the <pages> configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.

Firstly, we reproduce the error. After that, we give the solution. The platform and the technologies are ASP.NET MVC (not ASP.NET Web Forms), Entity Framework, C#. Moreover, we don't/can't use some of the following solutions:

  • <httpRuntime requestValidationMode="2.0" /> in Web.config.
  • <pages validateRequest="false"> in Web.config.
  • Attribute [ValidateInput(false)] of the controller action.
  • Attribute [AllowHtml] of the model class property.

The table

The scenario we are working on is the following table of news:

Table "News"

NewsID int
Title nvarchar(200)
Body text

The model

For the sake of simplicity, we omit the model.

The view

Here's the rendered view:

A potentially dangerous Request.Form value was detected from the client

Notice the field Body: it contains the HTML tag <b> ("Test <b>Body</b>"). This is the source of the error: in order to prevent from different kinds of code injection and for security reasons, ASP.NET doesn't allow the user to insert HTML tags. Probably, instead of an input text, you have a textarea or some kind of html editor. If we press the "Create" button, we have the exception HttpRequestValidationException A potentially dangerous Request.Form value was detected from the client.

Here's the source of the view:

...
@using (Html.BeginForm()) {
    @Html.ValidationSummary(true)
    <fieldset>
        <legend>News</legend>
        <div>
            @Html.LabelFor(model => model.Title)
        </div>
        <div>
            @Html.EditorFor(model => model.Title)
            @Html.ValidationMessageFor(model => model.Title)
        </div>
        <div>
            @Html.LabelFor(model => model.Body)
        </div>
        <div>
            @Html.EditorFor(model => model.Body)
            @Html.ValidationMessageFor(model => model.Body)
        </div>
        <p>
            <input type="submit" value="Create" />
        </p>
    </fieldset>
}
...

The controller

Here's the source of the controller action:

[HttpPost]
public ActionResult Create(News news)
{
    if (ModelState.IsValid)
    {
        db.News.AddObject(news);
        db.SaveChanges();
        return RedirectToAction("Index");
    }
    return View(news);
}

The solution

In order to solve the problem, we modify the controller action:

using System.Web.Helpers;
...
[HttpPost]
public ActionResult Create([Bind(Exclude = "Body")]News news)
{
    FormCollection collection = new FormCollection(Request.Unvalidated().Form);
    news.Body = collection["Body"];
    if (ModelState.IsValid)
    {
        db.News.AddObject(news);
        db.SaveChanges();
        return RedirectToAction("Index");
    }
    return View(news);
}
...

If now we press the "Create" button, we don't have any error and the record is inserted. I've added some code I highlighted in yellow. What is this? I've excluded from binding the field "Body" because I want to read the value from the form collection. But if I use the ordinary form collection, I have the error anyway. If you pay attention, you see I've used Unvalidated() that means we don't want any security check done. Pay attention, because, as MSDN site remarks, If you exclude a field from request validation, you must check it yourself to be sure it does not include malicious markup or code. In addition, notice you have to add the System.Web.Helpers namespace.

Add comment


Security code
Refresh