A potentially dangerous request. form value was detected from the client Solution

System. Web. httprequestvalidationexception: a potentially dangerous request. form value was detected from the client

Method 1: Disable request verification by setting validaterequest = "false" in the page instruction or configuration section.

Method 2: the correct method is to add the page_error () function on your current page to capture the exceptions that are generated during the processing of all pages without being processed. Then, a legal error is reported to the user.
Information. If the current page does not contain page_error (), this exception will be sent to application_error () of global. asax for processing. You can also
Write common exception reporting and error handling functions. If no exception handling function is written in both locations, the default error page is displayed.

For example, to handle this exception, you only need a short section.CodeThat's enough. Add the following code to the code-behind page:

The following is a reference clip: Protected void page_error (Object sender, eventargs E) { Exception EX = server. getlasterror (); If (ex is httprequestvalidationexception) { Response. Write ("enter a valid string. "); Server. clearerror (); // if the error is not clearerror (), it will be passed to application_error (). } }

In this caseProgramThe httprequestvalidationexception exception can be intercepted, and a reasonable error message can be returned according to the programmer's wishes.

This code is very simple, so I hope that all friends who do not really want to allow user input and other characters should not prohibit this security feature at will. If you only need to handle exceptions, use the code similar to the above to process it.

For programmers who explicitly prohibit this feature, they must understand what they are doing and manually check the strings that must be filtered, otherwise, your website is vulnerable to cross-site scripting attacks.

What should I do with pages with rich text editor?

If the page has a control of the Rich Text Editor, the HTML tag of the class will be submitted back. In this case, we have to set validaterequest = "false ". So how to deal with security? In this situation, how can we prevent cross-site scripting attacks to the maximum extent?

According to Microsoft's suggestion, we should adopt the"Disabled by default, explicitly allowed.

First, we encode the input string with httputility. htmlencode (), and completely disable the HTML Tag.

Then we replace the security tags that we are interested in with Replace. For example, if we want a "tag", we will explicitly replace it "".

The sample code is as follows:

The following is a reference clip: Void submitbtn_click (Object sender, eventargs E) ...{ // Encode the input string so that all HTML tags are invalid. Stringbuilder sb = new stringbuilder ( Httputility. htmlencode (htmlinputtxt. Text )); // Then we can selectively allow <B> and <I> SB. Replace ("& lt; B & gt;", "<B> "); SB. Replace ("& lt;/B & gt ;",""); SB. Replace ("& lt; I & gt;", "<I> "); SB. Replace ("& lt;/I & gt ;",""); Response. Write (sb. tostring ()); }

In this way, some HTML tags and dangerous tags are allowed.

Based on the suggestions provided by Microsoft, we should be careful to allow the following HTML tags, because these HTML tags may cause cross-site scripting attacks.

The following is a reference clip: <Applet> <Body> <Embed> <Frame> <Script> <Frameset> <Html> <IFRAME> <IMG> <Style> <Layer> <Link> <Ilayer> <Meta> <Object>

is the most incomprehensible. However, you should understand the risks after reading the following code.

The following is a reference clip: Script: Alert ('hello'); "> Script: Alert ('hello'); ">

The label may cause JavaScript Execution, so that attackers can do anything they want to disguise.

The same is true for <style>:

The following is a reference clip: <Style type = "text/JavaScript">... Alert ('hello '); </Style>

From: http://www.cnblogs.com/RIVERSPIRIT/articles/1085814.html