Captcha HttpRequestValidationException: A potentially dangerous Request

2 posts, 0 answers
  1. Yeroon
    Yeroon avatar
    87 posts
    Member since:
    Oct 2012

    Posted 20 Jan 2010 Link to this post


    Just to inform you on a error I got. I can work around it by ommiting the culprit symbols from the CaptchaImage-CharSet.

    But I got this error with the following setup:

    <telerik:RadCaptcha ID="RadCaptcha1" Runat="server" EnableRefreshImage="true"   
                                    CaptchaTextBoxLabel="<br />neem de code over."   
                                    CaptchaLinkButtonText="Genereer nieuwe code" 
                                    ErrorMessage="Foute code"   
                                    ValidationGroup="submitGroup"  > 

    At a certain point the code was: JP&#D and that generated the below error:

    Server Error in '/PWeb' Application.

    A potentially dangerous Request.Form value was detected from the client (RadCaptcha1$CaptchaTextBox="JP&#D").
    Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.

    Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (RadCaptcha1$CaptchaTextBox="JP&#D").

  2. Pero
    Pero avatar
    1156 posts

    Posted 21 Jan 2010 Link to this post

    Hello Yeroon,

    I believe the problem is caused by the "&#" characters. The Entity Numbers of the HTML character entities start with "&#" and when they are posted to the server, the request is validated as dangerous because the input is interpreted as trying to inject HTML or client-script.

    My recommendation is to exclude any characters that might cause possibly dangerous input.

    the Telerik team

    Instantly find answers to your questions on the new Telerik Support Portal.
    Watch a video on how to optimize your support resource searches and check out more tips on the blogs.
Back to Top