A few days ago, while working on an ASP.NET 4.0 project, I got an error. The error was, when user enters non-encoded HTML content into text box then she/he got something like the following error message:
This was because .NET detected something in the entered text which looked like an HTML statement. Then I got a solution that is 'Request Validation', that is a feature in ASP.Net application to protest cross site scripting attack.
To disable request validation, I added the following to the existing "page" directive in .aspx file.
But I still got the same error message. Later on I found that, for .NET 4, we need to add requestValidationMode="2.0" to the httpRuntime configuration section of the web.config file as following:
If you wants to turn off request validation globally, the following line in the web.config file within <system.web> section will help:
Note: Avoid the last example because there is a security issue. The request validation feature in ASP.NET provides a certain level of default protection against cross-site scripting attacks.
This was because .NET detected something in the entered text which looked like an HTML statement. Then I got a solution that is 'Request Validation', that is a feature in ASP.Net application to protest cross site scripting attack.
To disable request validation, I added the following to the existing "page" directive in .aspx file.
<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Default.aspx.cs" Inherits="_Default" ValidateRequest="false"%>
But I still got the same error message. Later on I found that, for .NET 4, we need to add requestValidationMode="2.0" to the httpRuntime configuration section of the web.config file as following:
<system.web>
<compilation debug="true" targetFramework="4.0"/>
<httpRuntime requestValidationMode="2.0"/>
</system.web>
<compilation debug="true" targetFramework="4.0"/>
<httpRuntime requestValidationMode="2.0"/>
</system.web>
If you wants to turn off request validation globally, the following line in the web.config file within <system.web> section will help:
<pages validateRequest="false" />
Note: Avoid the last example because there is a security issue. The request validation feature in ASP.NET provides a certain level of default protection against cross-site scripting attacks.
No comments:
Post a Comment