Last post Apr 10, 2012 10:27 AM by jason.duffett
Apr 10, 2012 10:27 AM|jason.duffett|LINK
Re-posted (with permission) from Stack Overflow:
In .NET 4.0 request validation was stepped up a notch! It seems when any code tries to access Request.Form, the values within the form are validated, and a HttpRequestValidationException is thrown.
This in itself shouldn't be a problem, except that I've found a particular scenario where ASP.NET itself is certainly not doing me any favours in dealing with this situation.
I have a form which accepts HTML input (I'd rather not, but I do, OK?). The edit model for this form has the
However, if the user is not authenticated (for example, their session timed out) and they try to submit the form, a HttpRequestValidationException is thrown while ASP.NET is trying to redirect to the login page. The exception is thrown when ASP.NET is verifying whether the request is an AJAX request or not, at which point it tries to access a form field.
[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (LongDescription="<p>Hello</p>").] System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +8855748 System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, RequestValidationSource requestCollection) +122 System.Web.HttpRequest.get_Form() +150 System.Web.HttpRequestWrapper.get_Form() +11 System.Web.UI.PageRequestManager.IsAsyncPostBackRequest(HttpRequestBase request) +223 System.Web.Handlers.ScriptModule.HttpResponse_Redirecting(Object sender, EventArgs e) +82 System.Web.HttpResponse.Redirect(String url, Boolean endResponse, Boolean permanent) +394 System.Web.Security.FormsAuthenticationModule.OnLeave(Object source, EventArgs eventArgs) +9044409 System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +148 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75
Offending lines of code within
// DevDiv Bugs 188713: X-MicrosoftAjax header is stripped by some firewalls string asyncPost = request.Form[AsyncPostFormField];return !String.IsNullOrEmpty(asyncPost) && (asyncPost.Trim() == "true");
All I would like is for it to successfully redirect to the login page in this scenario. I'd also like to NOT disable .NET 4.0 validation!
Anyone got any ideas on how to overcome this problem?