Microsoft Knowledge Base Archive

Symptoms

When you deploy a Microsoft ASP.NET 1.0 Web application on a server with the Microsoft .NET Framework version 1.1 installed, you receive the following error message if unencoded input is submitted :

A potentially dangerous Request.Form value was detected from the client

↑ Back to the top

Cause

When the .NET Framework 1.1 is installed on a computer, the default value of the validateRequest attribute is true. When the value of validateRequest is set to true, request validation is performed and an exception is thrown if the input has potentially dangerous values.

The new request validation feature in ASP.NET 1.1 proactively prevents attacks from dangerous values. It does not allow the server to process unencoded HTML content unless you decide to allow the content. The request validation feature is designed to help prevent some script-injection attacks where client script code or HTML can be unknowingly submitted to a server, can be stored, and then can be presented to other users.

↑ Back to the top

Resolution

The request validation feature of ASP.NET 1.1 prevents the server from accepting content that contains unencoded HTML. You can disable request validation by setting the validateRequest attribute to false in the @ Page directive or in the configuration section.

Disable Request Validation on a Page

To disable request validation on a page, you must set the validateRequest attribute of the @ Page directive to false:

<%@ Page validateRequest="false" %>

Note When request validation is disabled, content is submitted to a page. The page developer must make sure that the content is correctly encoded or is correctly processed.

Disable Request Validation for Your Application

To disable request validation for your application, you must modify or create a Web.config file for your application and then set the validateRequest attribute of the <PAGES /> section to false:

 <configuration> 
  <system.web> 
    <pages validateRequest="false" /> 
  </system.web> 
</configuration>

If you want to disable request validation for all applications on your server, you can make this change to your Machine.config file.

Note When request validation is disabled, content is submitted to your application. The application developer must make sure that the content is correctly encoded or is correctly processed.

HTML Encode the Content

When request validation is disabled, you must HTML encode the content to prevent possible attacks by unencoded HTML content.

If you have disabled request validation, it is good practice to HTML encode content that will be stored for future use. HTML encoding automatically replaces any "<" or ">" characters (and several other symbols) with their corresponding HTML encoded representation.

You can easily HTML encode content on the server by using the Server.HtmlEncode(String) method. You can also easily HTML decode content. HTML decoding reverts HTML-encoded content back to standard HTML. To do this, use the Server.HtmlDecode(String) method.

Use the following code:

Microsoft Visual Basic. NET Code

<%@ Page Language="vb" validateRequet="false" %>
<HTML>
   <HEAD>
      <title>WebForm2</title>
      <script runat="server">      
      Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs)   
         ' Set the label to the HTMLEnoded value of  TextBox.
         Label1.Text = Server.HtmlEncode(TextBox1.Text)
      End Sub
      </script>
   </HEAD>
   <body>
      <form id="Form1" method="post" runat="server">
         <asp:Button id="Button1" OnClick="Button1_Click" 
               style="Z-INDEX: 101; LEFT: 299px; POSITION: absolute; TOP: 172px" runat="server" Text="Button">
         </asp:Button>
         <asp:Label id="Label1" 
               style="Z-INDEX: 102; LEFT: 403px; POSITION: absolute; TOP: 171px" runat="server">Label
         </asp:Label>
         <asp:TextBox id="TextBox1"
               style="Z-INDEX: 103; LEFT: 248px; POSITION: absolute; TOP: 122px" runat="server">
         </asp:TextBox>
      </form>
   </body>
</HTML>

Microsoft Visual C# .NET Code

<%@ Page Language="c#" validateRequet="false" %>
<HTML>
   <HEAD>
      <title>WebForm2</title>
      <script runat="server">      
      private void Button1_Click(object sender, System.EventArgs e)
      { 
        // Set the label to the HTMLEnoded value of  TextBox.  
         Label1.Text = Server.HtmlEncode(TextBox1.Text);
      }
      </script>
   </HEAD>
   <body>
      <form id="Form1" method="post" runat="server">
         <asp:Button id="Button1" OnClick="Button1_Click"
               style="Z-INDEX: 101; LEFT: 299px; POSITION: absolute; TOP: 172px" runat="server" Text="Button">
         </asp:Button>
         <asp:Label id="Label1" 
               style="Z-INDEX: 102; LEFT: 403px; POSITION: absolute; TOP: 171px" runat="server">Label
         </asp:Label>
         <asp:TextBox id="TextBox1" 
               style="Z-INDEX: 103; LEFT: 248px; POSITION: absolute; TOP: 122px" runat="server">
         </asp:TextBox>
      </form>
   </body>
</HTML>

↑ Back to the top

Status

This behavior is by design.

↑ Back to the top

More information

Steps to Reproduce the Behavior

Start Microsoft Visual Studio .NET.
Create a new ASP.NET 1.0 Web application by using Visual C# .NET or Visual Basic .NET. By default, WebForm1.aspx is created.
Add a Button control , aTextBox control, and a Label control to WebForm1.aspx.
Right-click WebForm1.aspx, and then click View HTML Source.

Replace the existing code with the following code:

Visual Basic .NET Code

<%@ Page Language="vb" %>
<HTML>
   <HEAD>
      <title>WebForm2</title>
      <script runat="server">      
      Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs)    
         Label1.Text = TextBox1.Text
      End Sub
      </script>
   </HEAD>
   <body>
      <form id="Form1" method="post" runat="server">
         <asp:Button id="Button1" OnClick="Button1_Click" 
                style="Z-INDEX: 101; LEFT: 299px; POSITION: absolute; TOP: 172px" runat="server" Text="Button">
         </asp:Button>
         <asp:Label id="Label1" 
                style="Z-INDEX: 102; LEFT: 403px; POSITION: absolute; TOP: 171px" runat="server">Label
         </asp:Label>
         <asp:TextBox id="TextBox1" 
                style="Z-INDEX: 103; LEFT: 248px; POSITION: absolute; TOP: 122px" runat="server">
         </asp:TextBox>
      </form>
   </body>
</HTML>

Visual C# .NET Code

<%@ Page Language="c#" %>
<HTML>
   <HEAD>
      <title>WebForm2</title>
      <script runat="server">      
      private void Button1_Click(object sender, System.EventArgs e)
      {  
         Label1.Text = TextBox1.Text;
      }
      </script>
   </HEAD>
   <body>
      <form id="Form1" method="post" runat="server">
         <asp:Button id="Button1" OnClick="Button1_Click" 
                style="Z-INDEX: 101; LEFT: 299px; POSITION: absolute; TOP: 172px" runat="server" Text="Button">
         </asp:Button>
         <asp:Label id="Label1" 
                style="Z-INDEX: 102; LEFT: 403px; POSITION: absolute; TOP: 171px" runat="server">Label
         </asp:Label>
         <asp:TextBox id="TextBox1" 
                style="Z-INDEX: 103; LEFT: 248px; POSITION: absolute; TOP: 122px" runat="server">
         </asp:TextBox>
      </form>
   </body>
</HTML>

On the Debug menu, click Start to run the application.
Type the following text in the text box:
<script>alert("cross-site script test!")</script>
Click Button, and notice that the script is permitted to be posted back without encoded HTML. The message box appears.
Deploy the same code on a server with the .NET Framework version 1.1 installed. You receive the error message that is mentioned in the "Symptoms" section of this article.