TechQA.

"Potentially Dangerous Request.Form" Exception in a generic handler

3.8k views Asked by At

I've seen this error before but cannot seem to get around it. In this case, I have an ASHX page spitting out a simple HTML form with a textbox into which XML may be posted. When I try to read the form, I receive the "A potentially dangerous Request.Form value...".

Since it's a generic handler the "ValidateRequest" attribute isn't available. However I already had this defined in web.config:

<location path="xml/MyGenericHandler.ashx">
    <system.web>
      <pages validateRequest="false" />
    </system.web>
</location>

This snippet predates a move from .NET 3.5 to 4.0 so I'm guessing that's where the breakage originated.

Any idea how to get around this error for ASHX pages?

asp.net validation ashx generic-handler dangerous-request
Original Q&A
3

There are 3 answers

0
Wyatt Barnett On BEST ANSWER

The 3.5-4.0 change that clipped you was some stepped up runtime security features for ASP.NET 4.0. The quick fix is to apply the following attribute:

<httpRuntime requestValidationMode="2.0" />

Unfortunately, that opens all pages up to 2.0 request validation, so I'd only do this if you've got a relatively small attack surface.

1
David On

While not a direct answer to your question, I would say to read this previous post. it does give you a way to ensure that the error is not thrown. It's a risky way in one sense, because it means turning off a basic protection. However, the answer is well-reasoned, and the it clearly states that you should only implement it when you're absolutely sure you're encoding all output.

A potentially dangerous Request.Form value was detected from the client

As a side note, I would also recommend using the Microsoft Anti-Xss Library rather than the built in Server.HtmlEncode functions.

However, if you can modify the ashx, a simpler solution would be to just modify the error code and add an "if" statement to not log errors if the error message contains the string you want to filter.

0
user626528 On

You'd better disable validation for you handler page only:

  <location path="MyGenericHandler.ashx">
    <system.web>
      <!-- requestValidationMode is to avoid HTML-validation of data posted to the handler -->
      <httpRuntime requestValidationMode="2.0"/>
    </system.web>
  </location>

Or use this property from within your handler to avoid triggering the exception:

context.Request.Unvalidated.Form

Related Questions in ASP.NET

Related Questions in VALIDATION

Related Questions in ASHX

Related Questions in GENERIC-HANDLER

Related Questions in DANGEROUS-REQUEST

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions