This error is encountered in the case of Web applications which are developed with ASP.NET technology. When the page returns to the server to be processed it is generated an exception like this one
[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (…).]
which, by default is not managed at the application or Web page level.
The exception is generated by the input data because the .NET platform (beginning with the 1.1 version) performs validation of user input to prevent JavaScript Injection attacks by which the user tries to enter strings with the <text> format (which could represent also HTML code).
Solutions to manage or to avoid this error:
- training or warning users to avoid the introduction of texts that contain <text> format strings;
- disabling validation at the page level by inserting the
ValidateRequest="false"
attribute in the<%@ Page … >
section of the ASP.NET file
<%@ Page Language="C#" AutoEventWireup="true" ValidateRequest="false" %>
- disabling validation at the application level by inserting in the Web.config file (<system.web> section) the attribute
- error management at level page (Page_Error method) or at Web application level (in Global.asax using Application_Error) by making the redirection to a general error page; the exception cannot be captured (or I don’t see how to do it) since it is not generated in a programmer code sequence that can be placed inside a try-catch block;
The second solution should be supplemented with input data validation routines that will deny JavaScript Injection attacks. The ASP.NET technology provides the Server.HtmlEncode () method to convert the string to its html encoding equivalent. This enables applications to store HTML special characters (eg <is converted in < and > in >), disabling the execution of JavaScripts sources.
Other Web sources about this topic:
- http://www.asp.net/learn/whitepapers/request-validation/ (Request Validation – Preventing Script Attacks)
- http://msdn.microsoft.com/en-us/library/ms998274.aspx (How To: Prevent Cross-Site Scripting in ASP.NET)