A potentially dangerous Request.Form value was detected from the client - how to fix

System.Web.HttpException (0x80004005): The application is configured to issue secure cookies - Cause e soluzioni del problema

If you're an ASP.NET developer and you make good use of webservices and/or HTML forms you most certainly know about the fact that certain characters will always be blocked by the ASP.NET built-in request validation feature: this will always happen for Controller methods, Web API Controllers, WebService methods and even  ASPX pages -  if you're still working with them. This the error that you will get:

A potentially dangerous Request.Form value was detected from the client

Frankly speaking, blocking potentially dangerous charaters isn't a bad thing at all, as you won't have to worry about XSS (Cross-Site Script) attacks as you normally should (if you don't know what XSS attacks are, read this Wikipedia entry): if these are legit characters, the best thing you can do is find a way to properly encode them. However, if you really need to accept these characters as they are, you're left with the choice to partially (or even globally) disable the ASP.NET request validation feature. Before proceeding, be sure you've carefully understood what they are and how harmful they can be by reading this great XSS awareness information article by OWASP, the aforementioned Wikipedia entry and the official overview at the ASP.NET official website about the topic.

In case you still want to do this after all this, keep reading.

ASP.NET MVC

If you're working on a ASP.NET MVC 4 (or newer) or ASP.NET Web API project, the best thing you can do is to decorate your GET-or-POST-receiving method with the   [ValidateInput(false)]  attribute: this will relax the request validation only for that single method, thus leaving your web project protected elsewhere. If you're still using MVC 3 or older and you don't have that attribute, you can obtain the same result by using the   [AllowHtml]  attribute instead.

ASP.NET Forms

In case you're still stuck into ASP.NET Forms, you can disable the validation on single-page basis by adding the   validateRequest="false"  attribute to the   <%@ Page ... %>  directive at the begining of the .aspx page itself. The final result should be something like that:

<%@ Page validateRequest="false" %>

This is also an effective and rather secure workaround, since all other .aspx pages will stay protected.

Globally disable the validation

If the above workarounds are not enough for your scenario, you can also choose to disable the input validation on global basis. You can do that by adding the   validateRequest="false"  attribute to the   <pages>  element within the web.config file, normally part of the   <system.web>  section. In case it's not there yet, add it in the following way:

IMPORTANT: if you're using ASP.NET v4.0 (or higher) you will probably need to also add the following line in the  <system.web>  section:

It's worth noting that this will disable the new validation mode introduced with ASP.NET 4, which happens to be more efficient than the previous installment: use it only if you can't do anything else, as it will probably impact your website performance if you're receiving lots of requests.

That's it for now: happy development... and watch out for XSS!

 

About Ryan

IT Project Manager, Web Interface Architect and Lead Developer for many high-traffic web sites & services hosted in Italy and Europe. Since 2010 it's also a lead designer for many App and games for Android, iOS and Windows Phone mobile devices for a number of italian companies. Microsoft MVP for Development Technologies since 2018.

View all posts by Ryan

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.

This site uses Akismet to reduce spam. Learn how your comment data is processed.