Today, I encounter an error: A potentially dangerous Request.QueryString value was detected from the client.
If you submit any HTTP request which contain XML string, it will be detected as a potential threat to the web application, the above message is to tell you that someone may intends to inject some cross site scripts to your web application. By default, the request validation is turned on automatically, the dangerous string will be truncated. However, due to some business requirements, somehow you want to make your application to accept XML string request. Therefore, you want to disable the request validation.
If you had experience in ASP.net 2.0, you know that you can simply disable the request validation by adding directive RequestValidation="false" to your aspx page. But, in ASP.net 4.0, there are something new. Even though you have added the directive, you still get the same warning message.
There is something extra need to be done for ASP.net 4.0. We need to specify <httpRuntime> as highlighted below in the web.config file. If you wish to disable the request validation for all the pages, you do not need to add directive to every individual page, instead, just use <pages> for all pages.
If you submit any HTTP request which contain XML string, it will be detected as a potential threat to the web application, the above message is to tell you that someone may intends to inject some cross site scripts to your web application. By default, the request validation is turned on automatically, the dangerous string will be truncated. However, due to some business requirements, somehow you want to make your application to accept XML string request. Therefore, you want to disable the request validation.
If you had experience in ASP.net 2.0, you know that you can simply disable the request validation by adding directive RequestValidation="false" to your aspx page. But, in ASP.net 4.0, there are something new. Even though you have added the directive, you still get the same warning message.
There is something extra need to be done for ASP.net 4.0. We need to specify <httpRuntime> as highlighted below in the web.config file. If you wish to disable the request validation for all the pages, you do not need to add directive to every individual page, instead, just use <pages> for all pages.
<system.web>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" requestValidationMode="2.0" />
<pages validateRequest="false" />
</system.web>
No comments:
Post a Comment