ASP. NET 4.0 authentication request a potentially dangerous request. form value was detected from the client (ctl00 $ mainc

A potentially dangerous request. form value was detected from the client (ctl00 $ maincontent $ txtcode = "<code> </code> ").

Description: Request validation has detected a potentially dangerous client input value, and processing of the request has been aborted. this value may be indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. to allow pages to override application request validation settings, Set requestvalidationmode = "2.0" In Configuration section. After setting this value, you can then disable request validation by setting validaterequest = "false" in the page directive or in Configuration section. However, it is stronugly recommended that your application explicitly check all inputs in this case. For more information, see http://go.microsoft.com/fwlink? Linkid = 153133.

Exception details:System. Web. httprequestvalidationexception: a potentially dangerous request. form value was detected from the client (ctl00 $ maincontent $ txtcode = "<code> </code> ").

Version Information: Microsoft. NET Framework Version: 4.0.21006; ASP. NET version: 4.0.21006.1

 

After Visual Studio 2010 beta2 is installed, when the page input box is "<" or ">" by default. According to the access policy, this will lead to some security issues, such as cross-site scripting attack ). The more accurate description of this problem is,When you install. NET Framework 4.0 or laterProgramTo.. NET Framework 4.0 is the Framework version. Any server request will be verified by the server request (validationrequest). This includes not only ASP. net, also including web services and other HTTP requests, not only for the ASPX page, but also for the HTTP handler, HTTP module, etc., because of this verification (valify) process, it will occur before the beginrequest event.

Based on the above principles, in ASP. in versions earlier than net, request verification is also activated by default, but occurs at the page level (aspx) and takes effect only when the request is executed. Therefore, in the old version, we only need to configure as follows:

Set in page level (aspx)
Validaterequest= "False"
Or
Set at the global level (in Web. config)
<Configuration>
<System. Web>
<PagesValidaterequest="False">

However, the preceding settings are only valid for ASP. net4.0 and later versions. In ASP. net4.0, we need more configuration lines:

Set at the global level (in Web. config)
<Configuration>
<System. Web>
<HttpruntimeRequestvalidationmode="2.0">

This is explained on the page where an error occurs. In actual use, this is not only the case, but I also found that the requestvalidationmode can be set to be smaller than 4.0, for example, 1.0, 2.0, 3.0, and 3.9, the error code 2.0 is specified in the error message to describe ASP. NET 2.0 by default.