A potentially dangerous Request.Form value was detected from the client

2 posts, 0 answers
  1. andrew
    andrew avatar
    12 posts
    Member since:
    Sep 2008

    Posted 06 Mar 2014 Link to this post

    I'm getting the following error when I post back with the RadEditor

    A potentially dangerous Request.Form value was detected from the client (step1RadEditor$ctl00="...asdf a sdf<br>").Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. <br>

    This issue has already been discussed in this Post 5 years ago but I'm not satisfied with its solution (ie: setting ValidateRequest to false). Why can't  RadEditor just HTML encode its value(s) before POSTing it to the server so it wont trigger ASP.NET's alarm? 

    Is there a better work around?
  2. Vasil
    Vasil avatar
    1640 posts

    Posted 07 Mar 2014 Link to this post

    Hi Andrew,

    The RadEditor encodes the text already. For example in this demo:
    You can write <test></test> in the Design mode and in the HTML mode you will see that the text is escaped as &lt;test&gt;

    So by default it should work correct even with enabled request validation. The problem that you see could be related to your configuration or some errors in the page. If you send us page that we can test, I would be happy to provide you further assistance in resolving the issue.


    DevCraft Q1'14 is here! Watch the online conference to see how this release solves your top-5 .NET challenges. Watch on demand now.

Back to Top