In .NET 4.0 request validation was stepped up a notch! It seems when any code tries to access Request.Form, the values within the form are validated, and a HttpRequestValidationException is thrown.
This in itself shouldn't be a problem, except that I've found a particular scenario where ASP.NET itself is certainly not doing me any favours in dealing with this situation.
I have a form which accepts HTML input (I'd rather not, but I do, OK?). The edit model for this form has the
[AllowHtml]
attribute on the field, so submitting HTML is fine and does not throw the exception.
However, if the user is not authenticated (for example, their session timed out) and they try to submit the form, a HttpRequestValidationException is thrown while ASP.NET is trying to redirect to the login page. The exception is thrown when ASP.NET is verifying whether the request is an AJAX request or not, at which point it tries to access a form field.
Stack trace:
[HttpRequestValidationException(0x80004005): A potentially dangerous Request.Form value was detected from the client (LongDescription="<p>Hello</p>").] System.Web.HttpRequest.ValidateString(String value,String collectionKey,RequestValidationSource requestCollection)+8855748 System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc,RequestValidationSource requestCollection)+122 System.Web.HttpRequest.get_Form()+150 System.Web.HttpRequestWrapper.get_Form()+11 System.Web.UI.PageRequestManager.IsAsyncPostBackRequest(HttpRequestBase request)+223 System.Web.Handlers.ScriptModule.HttpResponse_Redirecting(Object sender,EventArgs e)+82 System.Web.HttpResponse.Redirect(String url,Boolean endResponse,Boolean permanent)+394 System.Web.Security.FormsAuthenticationModule.OnLeave(Object source,EventArgs eventArgs)+9044409 System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()+148 System.Web.HttpApplication.ExecuteStep(IExecutionStep step,Boolean& completedSynchronously)+75
jason.duffet...
0 Points
1 Post
HttpRequestValidationException redirecting to login page (forms authentication)
Apr 10, 2012 02:27 PM|LINK
Re-posted (with permission) from Stack Overflow: http://stackoverflow.com/questions/8588634/httprequestvalidationexception-redirecting-to-login-page-forms-authentication
In .NET 4.0 request validation was stepped up a notch! It seems when any code tries to access Request.Form, the values within the form are validated, and a HttpRequestValidationException is thrown.
This in itself shouldn't be a problem, except that I've found a particular scenario where ASP.NET itself is certainly not doing me any favours in dealing with this situation.
I have a form which accepts HTML input (I'd rather not, but I do, OK?). The edit model for this form has the
attribute on the field, so submitting HTML is fine and does not throw the exception.However, if the user is not authenticated (for example, their session timed out) and they try to submit the form, a HttpRequestValidationException is thrown while ASP.NET is trying to redirect to the login page. The exception is thrown when ASP.NET is verifying whether the request is an AJAX request or not, at which point it tries to access a form field.
Stack trace:
Offending lines of code within
All I would like is for it to successfully redirect to the login page in this scenario. I'd also like to NOT disable .NET 4.0 validation!
Anyone got any ideas on how to overcome this problem?