A potentially dangerous Request.Form value was detected from the client

The runtime raises an error when attempting to input HTML tags or content within a form. Although HTML tags themselves are not inherently harmful, their presence within certain contexts can pose a risk. This scenario could indicate a potential cross-site scripting (XSS) attack, which is why ASP.NET has a default restriction on allowing such input.

Filtering random input for dangerous characters is not a viable solution, as any character has the potential to be dangerous depending on the specific circumstances. It is crucial to implement appropriate security measures to mitigate the risks associated with HTML tags and prevent malicious attacks.


ASP.Net Error: A potentially dangerous

However, there may be instances where allowing users to post HTML tags is necessary. This could be due to a need for specific characters, such as "›", or to support the usage of tags like ‹h1› or ‹div› for certain development functionalities. In such cases, it is important to encode the input at the point where certain characters may become potentially dangerous by crossing into a different sub-language with special meanings.

How to solve?

To address this issue, you have two options. Firstly, you can HTML encode the input before submitting it, ensuring that any potentially harmful characters are appropriately encoded. Alternatively, you can disable request validation by setting ValidateRequest = false in the @Page directives within your .aspx file(s). However, it is crucial to note that disabling request validation can expose your site to Cross-Site Scripting (XSS) attacks, so caution must be exercised and appropriate security measures should be implemented to prevent any potential risks.

C# sample:
[HttpPost, ValidateInput(false)] public ActionResult Edit(FormCollection collection) { // ... }
Visual Basic sample:
<AcceptVerbs(HttpVerbs.Post), ValidateInput(False)> _

The ValidateInput attribute can be utilized to selectively disable validation by ASP.NET MVC for a specific Action method within a Controller. By applying this attribute, the validation process will be bypassed for the designated Action method, allowing the inclusion of HTML content in the request.

Alternatively, you can use the [AllowHtml] attribute to annotate the specific property in your model that requires HTML. This attribute explicitly permits the inclusion of HTML markup during the model binding process, effectively bypassing request validation for that particular property.

[AllowHtml] public string Description { get; set; }

The scope of the solution is limited to a specific property within the Model class, ensuring a targeted and secure approach.

For applications using .NET 4.0, it is important to include the following tag within the web.config file, specifically within the ‹system.web› tags:

<configuration> ... <location path="yourFolder/.aspx"> <system.web> <pages validateRequest="false" /> <httpRuntime requestValidationMode="2.0" /> </system.web> </location> ... </configuration>

Also, you can disable request validate entirely by specifying:

validateRequest="false"