A potentially dangerous Request. Form value was detected from the client.

I’m porting a web service over to .NET 4.0 using Visual Studio 2010.  The service is untyped in that is accepts a string as input which is a blob of xml, the service then proceeds to do some custom validation on that xml.  I ran the service up in debug to inject some xml and on invoke got an error from the request validator. 

I tried turning off request validation globally by adding <pages validateRequest=”false” /> to my web.config finding that it didn’t work.  See below extract from breaking change document found here.

“In ASP.NET 4, by default, request validation is enabled for all requests, because it is enabled before the BeginRequest phase of an HTTP request. As a result, request validation applies to requests for all ASP.NET resources, not just .aspx page requests. This includes requests such as Web service calls and custom HTTP handlers. Request validation is also active when custom HTTP modules are reading the contents of an HTTP request.”

The solution is to revert to ASP.NET 2.0 request validation by also adding <httpRuntime requestValidationMode=”2.0″ /> to the web.config.


This entry was posted in .NET. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s