Why potentially dangerous request error even ValidateRequest = false

.net-4.0asp.net-4.0

Here is my Default.aspx

<%@ Page Language="C#" AutoEventWireup="true"  CodeFile="Default.aspx.cs" Inherits="_Default" ValidateRequest="false" %>
<html>
    <head runat="server">
        <title>xss demonstration</title>
    </head>
    <body>
        <form id="form1" runat="server">
        <div>
            We are looking for your feedback. 
            <asp:TextBox ID="txtFeedback" runat="server" TextMode="MultiLine" />
            <br />
            <asp:Button ID="submit" runat="server" Text="Submit" onclick="submit_Click" />
            <br />
            Comment: 
            <br />
            <asp:Literal ID="ltlFeedback" runat="server" />
        </div>
        </form>
    </body>
</html>

And below is Default.aspx.cs

public partial class _Default : System.Web.UI.Page 
{
    protected void submit_Click(object sender, EventArgs e)
    {
        this.ltlFeedback.Text = this.txtFeedback.Text;
    }
}

When I run the application and enter following in the text box.

<script>alert('Hello')</script>

I get following error.

A potentially dangerous Request.Form value was detected from the
client (txtFeedback="alert('Hello…").

My question is why I get this error even though ValidateRequest is set to false in the page?

Best Answer

In .net framework 4.0 you have to set <httpRuntime requestValidationMode="2.0"/> markup in web.config.

<system.web>
     <compilation debug="false" targetFramework="4.0" />
     <httpRuntime requestValidationMode="2.0"/>
</system.web>

Have a look at reference article - ASP.NET 4 Breaking Changes #1: requestValidationMode cause ValidateRequest=False to fail.

Related Topic