A potentially dangerous Request.Form value was detected from the client …
If you see this exception in your page:
It’s because you have unhandled code that is vulnerable to script attacks creating a very high risk-prone in your system.
By default ASP.Net does the validation for you and return an error page with the form control (a text entry control) with the piece of data with the risk-prone.
Here an example of this problem:
ASPX Page:
|
1 2 3 4 |
<form id="form1" runat="server">
Message: <asp:TextBox id="txtName" runat="server" Text="<script>alert('test');</script>"/>
<asp:Button id="btSubmit" runat="server" onclick="btSubmit_Click" Text="Submit" />
</form> |
C# Code behind:
|
1 2 3 4 |
protected void btSubmit_Click(object sender, EventArgs e)
{
Response.Write(txtName.Text);
} |
In this case there are two alternatives:
Case 1: Work with ASP .Net Validation Request
First of all you have to catch the exception: HttpRequestValidationException. In order to achieve this, you have to override the method OnError on the page and check if it is the exception.
|
1 2 3 4 5 6 7 8 9 |
protected override void OnError(EventArgs e)
{
base.OnError(e);
var ex = Server.GetLastError().GetBaseException();
if (ex is System.Web.HttpRequestValidationException)
{
// handle HttpRequestValidationException
}
} |
- Show Friendly Message:
|
1 2 3 4 5 6 |
// handle HttpRequestValidationException
Response.Clear();
Response.Write("Invalid characters.");
// Response.Write(HttpUtility.HtmlEncode(ex.Message));
Response.StatusCode = 200;
Response.End(); |
- Redirect to an Error Page:
|
1 2 |
// handle HttpRequestValidationException
Response.Redirect("Ooops.aspx"); |
Or you can transfer or redirect to himself, but it will clear out the form.
|
1 2 |
// handle HttpRequestValidationException
Server.Transfer(Request.Url.AbsolutePath +"?exception=true"); |
On Load:
|
1 2 3 4 5 6 7 |
protected void Page_Load(object sender, EventArgs e)
{
if(!Page.IsPostBack && Request.QueryString["exception"] == "true")
{
Response.Write("Invalid characters.");
}
} |
Whether you decided to redirect to an error page or itself, remember that the user can go back and continue filling the form. Therefore, it’s important to specify the error details.
Considerations:
You could try to use GET-FORM and send the form values by Url, in this case you’ll encode the QueryString parameters OnError and decode them OnLoad/OnRender (no tested yet).
Case 2: Validate Request by Yourself
In this case, you’ll start by disabling ASP .Net Validation Request. It’s just two simple steps.
First, disable Validation Request in the page:
|
1 |
<%@ Page Language="C#" ... ValidateRequest="false" %> |
NOTE: In MVC, you should use the ValidateInput(false) attribute on the controller method.
Second, set the requestValidationMode to 2.0 in the configuration file:
|
1 2 3 4 5 6 7 |
<configuration>
<system.web>
...
<httpRuntime requestValidationMode="2.0" />
</system.web>
...
</configuration> |
- Client Validation
ASPX Page:
|
1 2 3 4 5 6 |
<form id="form1" runat="server">
Message: <asp:TextBox id="txtName" runat="server" Text="<script>alert('test');</script>"/>
<asp:Button id="btSubmit" runat="server" onclick="btSubmit_Click" Text="Submit" />
<asp:RegularExpressionValidator ID="regexValidatorMessage" runat="server"
ControlToValidate="txtName" ValidationExpression="^[\w]+$" ErrorMessage="Use only alphanumeric characters" />
</form> |
- Server Validation
C# Code behind:
|
1 2 3 4 5 6 7 8 9 10 11 12 |
protected void btSubmit_Click(object sender, EventArgs e)
{
if (!new Regex(@"^(\w+)$").IsMatch(txtName.Text))
{
Response.Write("Use only alphanumeric characters");
return;
}
if (!error)
{
Response.Write(txtName.Text);
}
} |
Considerations:
I recommend to use both Client + Server Validations.
References:
How To: Protect From Injection Attacks in ASP.NET http://msdn.microsoft.com/en-us/library/ff647397.aspx
Regular Expressions http://msdn.microsoft.com/en-us/library/system.text.regularexpressions.regex.aspx
How to handle HttpRequestValidationException http://forums.asp.net/t/811547.aspx/1?How+to+handle+HttpRequestValidationException
Potentially dangerous Request.Form value was detected from the client http://www.dreamincode.net/forums/topic/234664-potentially-dangerous-requestform-value-was-detected-from-the-client/
