ASP. NET 4.0 authentication request a potentially dangerous request. form value was detected from the client (ctl00 $ mainc

Source: Internet
Author: User
Tags visual studio 2010

A potentially dangerous request. form value was detected from the client (ctl00 $ maincontent $ txtcode = "<code> </code> ").

Description: Request validation has detected a potentially dangerous client input value, and processing of the request has been aborted. this value may be indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. to allow pages to override application request validation settings, Set requestvalidationmode = "2.0" In Configuration section. After setting this value, you can then disable request validation by setting validaterequest = "false" in the page directive or in Configuration section. However, it is stronugly recommended that your application explicitly check all inputs in this case. For more information, see http://go.microsoft.com/fwlink? Linkid = 153133.

Exception details:System. Web. httprequestvalidationexception: a potentially dangerous request. form value was detected from the client (ctl00 $ maincontent $ txtcode = "<code> </code> ").

Version Information: Microsoft. NET Framework Version: 4.0.21006; ASP. NET version: 4.0.21006.1

 

After Visual Studio 2010 beta2 is installed, when the page input box is "<" or ">" by default. According to the access policy, this will lead to some security issues, such as cross-site scripting attack ). The more accurate description of this problem is,When you install. NET Framework 4.0 or laterProgramTo.. NET Framework 4.0 is the Framework version. Any server request will be verified by the server request (validationrequest). This includes not only ASP. net, also including web services and other HTTP requests, not only for the ASPX page, but also for the HTTP handler, HTTP module, etc., because of this verification (valify) process, it will occur before the beginrequest event.

Based on the above principles, in ASP. in versions earlier than net, request verification is also activated by default, but occurs at the page level (aspx) and takes effect only when the request is executed. Therefore, in the old version, we only need to configure as follows:

Set in page level (aspx)
Validaterequest= "False"
Or
Set at the global level (in Web. config)
<Configuration>
<System. Web>
<PagesValidaterequest="False">

However, the preceding settings are only valid for ASP. net4.0 and later versions. In ASP. net4.0, we need more configuration lines:

Set at the global level (in Web. config)
<Configuration>
<System. Web>
<HttpruntimeRequestvalidationmode="2.0">

This is explained on the page where an error occurs. In actual use, this is not only the case, but I also found that the requestvalidationmode can be set to be smaller than 4.0, for example, 1.0, 2.0, 3.0, and 3.9, the error code 2.0 is specified in the error message to describe ASP. NET 2.0 by default.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.