Last post May 05, 2020 05:03 PM by hansvonn
Jan 10, 2014 04:26 AM|Dude123|LINK
I have this in my web.config:
<httpRuntime targetFramework="4.5.1" requestValidationMode="4.5" />
I am navigating to this page: http://site/page.aspx?Text=<tag>bla,bla</tag>
I would like to prevent validation on this query parameter so from code behind I get the value like this:
Dim s as String = Request.Unvalidated.QueryString("Test")
Acording to the documentation I should not be getting this error:
A potentially dangerous Request.RawUrl value was detected from the client (="...Text=<tag>bla,bla</tag>").
I am running in classic mode not integrated if that makes a difference.
I get this error even when using ValidateRequest="false" page directive although I would rather be more selective.
Jan 10, 2014 07:21 AM|Sanjay.Baroda|LINK
ASP.NET 4 having breaking change with ValidateRequest. Refer http://stackoverflow.com/questions/2673850/validaterequest-false-doesnt-work-in-asp-net-4 for
why ValidateRequest="false" don't work.
Note that there is a way to turn the validation back to 2.0 for one page, as show in above post.
Jan 11, 2014 01:31 PM|Dude123|LINK
Yes I know about turning back validation to 2.0 trick and I have been using this for the past year, however I want to stop using this hack since I want to take advantage of the features of .NET 4.5 and 4.5.1. and want to prevent validation on only certain
elements of a page not all. This problem was supposed to be solved with the Request.Unvalidated() fix MS provided in .NET 4.5.1. Even the thread you linked to shows this as a solution by Szymon Sasin. And also this link also states it should work: http://go.microsoft.com/fwlink/?LinkId=235367
Again, my question is why does Request.Unvalidated throw a validation error when it was specifically designed to bypass validation.
Jan 11, 2014 07:02 PM|valuja|LINK
The Request.Unvalidated will not throw a validation error if you use it to get the values from the query string, this will however not prevent the querystring to be validated at a later stage in the page life cycle when the page is requested, it is just
a way to get access to the values without causing it to be validated at that time.
If you would like to customize the validation you can find info here: http://go.microsoft.com/fwlink/p/?LinkID=243046
Jan 11, 2014 10:43 PM|Dude123|LINK
You have made the same point I made. Yes Request.Unvalidated SHOULD NOT throw a validation error as described in the documentation but for me it does. I get the error described in my original post: "A potentially dangerous Request.RawUrl ..." when
My question was why do I get the error when I shouldn't.
Jan 15, 2014 06:38 AM|Happy Chen - MSFT|LINK
"A potentially dangerous Request.Form value was detected from the client".
This was because .NET detected something in the entered text which looked like an HTML statement. Then I got a link
Request Validation, that is a feature put in place to protect your application cross site scripting attack and followed accordingly.
i would suggest you refer to the link below for details :
ASP.NET 4.0 potentially dangerous Request.Form value was detected
Hacking Intel - XSS Security exploit with ASP.Net using .RewritePath and Request.RawUrl bypassing ASP.Net native script protection
Hope it can help you.
Jan 15, 2014 01:40 PM|Dude123|LINK
I am intimately aware of XXS dangers and the changes MS made in page validation with v4.0. I am also aware that you can go back to the validation behavior of v2.0 with that web.config tag. Again this was not my question. Please read my original post. To
iterate: With the release of .NET 4.5 Microsoft has realized that some of us may want to perform our own selective page validation. According to their own documentation here: http://go.microsoft.com/fwlink/?LinkId=235367 you
should be able to bypass their validation with a new feature called lazy or deferred request validation. You enable this feature if you include this in your web.config:
<httpRuntime requestValidationMode="4.5" ... />
The documentation also states that with 4.5 they now support unvalidated requests. This means that if you use requestValidationMode="4.5" (lazy validation) in conjuction with accessing the requested data like this:
var s = context.Request.Unvalidated.Form["forum_post"];
You should be able to bypass the validation ASP.NET provides on a field by filed basis.
Now I did all this. Modified my web.config as the documentation stated and only used Request.Unvalidated to access the posted data. Yet still I get the exception specified in my original post. The question is why?
Jan 16, 2014 03:17 AM|valuja|LINK
You will get the Exception even if you access the value using the Unvalidated property, just not exactly when you access that value but later in the page lifecycle when the request is validated using the standard validation process in Asp.Net. To avoid this
you will need to create your own validation plugin that bypasses this standard feature.
Jan 16, 2014 05:44 AM|Dude123|LINK
That's not what the documentations states. Read here: http://go.microsoft.com/fwlink/?LinkId=235367
Exerpts from .NET 4.5.1 changes:
"Developers have frequently asked for the ability to selectively turn off request validation for their applications. ....."
"ASP.NET 4.5 introduces two features that make it easy for you to selectively work with
unvalidated input: deferred ("lazy") request validation and access to
unvalidated request data."
"The new behavior makes it easier for different application components to look at different pieces of request data
without triggering request validation on other pieces."
"However, you might want to access this field without triggering validation because you want to allow markup in that field."
"To allow this, ASP.NET 4.5 now supports unvalidated access to request data."
"You can then use the HttpRequest.Unvalidated property
to read the unvalidated form value.."
The article goes on stating that because the validation is bypassed, with this new technique, and no exceptions are raised, you should validate it yourself. Exerpt:
"Security warning: ASP.NET 4.5 added the unvalidated request properties and collections to make it easier for you to access very specific unvalidated request data. However,
you must still perform custom validation on the raw request data to ensure that dangerous text is not rendered to users."
So why would they put this warning that you as the developer are now responsible for validation your own request if as you say the exception is raised anyway? If it is my responsibility to validate, why does it nag me with the exception? My responsability
to me means I get to choose what goes through and I get to raise my own exceptions if I want to -- not the other way around.
Jan 16, 2014 09:34 AM|valuja|LINK
I don't argue with what you say, but the fact is that the validation will still occurr since the Request values are parsed by the Page and that will trigger the Exception later in the life cycle. Should exist an easier way to handle that without writing
your own handlers but as far as I know it doesn't.
Jan 16, 2014 01:44 PM|Dude123|LINK
Ok, so if I understand correctly there are two places where validation occurs. One before the page is loaded for the benefit of MVC and then again at the page level for web forms. The Request.Unvalidated() bypasses the early validation but does not bypass
the one that occurs at the page level.
What still has me confused is why then does the page directive <%@ Page ValidateRequest="false" which is specifically for web forms does not disable the second validation?
Jan 16, 2014 09:06 PM|galeny|LINK
Look at this links:
They will help you to understand, how does it works.
please check out the link below:
How to use Request.Unvalidated with ASP.NET
Jan 16, 2014 09:34 PM|Dude123|LINK
Yea, unfortunatelly I read all these before and none explain my questions above. It makes no sense why bypassing validation at both levels (1) the begin request level with Request.Unvalidated() and (2) at the page level with the <%@ Page ValidateRequest="false"
directive still causes ASP.net to throw an exception. How many other ways do we need to tell ASP.NET to leave us alone because we want to take over validation in selective scenarios. Yes I know we can go back to 2.0 validation but that's a hack. I like the
default 4.5 validation for 99% of my site and just want to disable it for a selective set of fields of a few pages. This should not be as difficult as creating my own validation class and litering my web.config with page exceptions.
Jan 22, 2014 02:35 AM|gtscdsi|LINK
Could you please tell me which documentaion? Thank you.
Jan 22, 2014 02:48 AM|Dude123|LINK
Apr 06, 2014 08:10 PM|esassaman|LINK
I agree 100%. In my case I do have 2.0 validation on, and want to leave page validation on but just allow ONE form value to contain html-like tags. Request.Unvalidated.Form["blah"] seems completely pointless for Web Pages sites. If your page only works AT
ALL with validation completely OFF, then EVERYTHING is unvalidated so... I don't get it. I'd rather have a Request.Validated.Form["blah"] so I can just turn validation ON everywhere I need validated form values and the default Request.Form would be unvalidated.
So now I need to manually validate all my input on that page? Seems kinda odd when all that functionality is built into .net that I have to figure out how to do manual validation myself, hm. Wish I could just call the internal html validation routines on
a field by field basis.
May 05, 2020 05:03 PM|hansvonn|LINK
You also need to add ValidateRequestMode="Disabled" to the control. See this question on StackOverflow: https://stackoverflow.com/questions/23633699/control-level-validaterequestmode-has-no-effect