If you’re an ASP.NET developer and you make good use of webservices and/or HTML forms you most certainly know about the fact that certain characters will always be blocked by the ASP.NET built-in request validation feature: this will always happen for Controller methods, Web API Controllers, WebService methods and even ASPX pages – if you’re still working with them. This the error that you will get:
A potentially dangerous Request.Form value was detected from the client
Frankly speaking, blocking potentially dangerous charaters isn’t a bad thing at all, as you won’t have to worry about XSS (Cross-Site Script) attacks as you normally should (if you don’t know what XSS attacks are, read this Wikipedia entry): if these are legit characters, the best thing you can do is find a way to properly encode them. However, if you really need to accept these characters as they are, you’re left with the choice to partially (or even globally) disable the ASP.NET request validation feature. Before proceeding, be sure you’ve carefully understood what they are and how harmful they can be by reading this great XSS awareness information article by OWASP, the aforementioned Wikipedia entry and the official overview at the ASP.NET official website about the topic.
In case you still want to do this after all this, keep reading.
If you’re working on a ASP.NET MVC 4 (or newer) or ASP.NET Web API project, the best thing you can do is to decorate your GET-or-POST-receiving method with the [ValidateInput(false)] attribute: this will relax the request validation only for that single method, thus leaving your web project protected elsewhere. If you’re still using MVC 3 or older and you don’t have that attribute, you can obtain the same result by using the [AllowHtml] attribute instead.
In case you’re still stuck into ASP.NET Forms, you can disable the validation on single-page basis by adding the validateRequest="false" attribute to the <%@ Page ... %> directive at the begining of the .aspx page itself. The final result should be something like that:<%@ Page validateRequest="false" %>
This is also an effective and rather secure workaround, since all other .aspx pages will stay protected.
Globally disable the validation
If the above workarounds are not enough for your scenario, you can also choose to disable the input validation on global basis. You can do that by adding the validateRequest="false" attribute to the <pages> element within the web.config file, normally part of the <system.web> section. In case it’s not there yet, add it in the following way:
<pages validateRequest="false" />
IMPORTANT: if you’re using ASP.NET v4.0 (or higher) you will probably need to also add the following line in the <system.web> section:
<httpRuntime requestValidationMode="2.0" />
It’s worth noting that this will disable the new validation mode introduced with ASP.NET 4, which happens to be more efficient than the previous installment: use it only if you can’t do anything else, as it will probably impact your website performance if you’re receiving lots of requests.
That’s it for now: happy development… and watch out for XSS!