Kevin Dente's Blog

The Blip in the Noise
Disabling request validation in ASP.NET

I recently tried running one of our web applications on ASP.NET 1.1 for the first time. This is a sample app that we ship to customers to show them how to interact with our web service. There's one page in the app that constructs some XML on the client side and submits it to the server in a hidden form field. The new ASP.NET request validation feature didn't like that too much, and threw up an error. A quick Google pointed me at two different ways to disable this option - a page directive to disable it at the page, and a web.config setting to disable it for the app.

Great, I thought, I'll just disable the check for that page. I tried the page directive on ASP.NET 1.1, and it worked fine. I tried it on ASP.NET 1.0, and it barfed. Apparently it doesn't like directive attributes that it doesn't know about.

Next I tried the web.config setting. Same deal. ASP.NET barfs on a web.config setting that it doesn't know about. I guess MS doesn't buy into the whole "ignore what you don't understand" philosophy of forward compatibility.

So I'm stuck. The web app doesn't require 1.1, but I can't have the same code that works on both 1.0 and 1.1. I guess I have to just document that if they are running the app on 1.1, they need to manually edit the page and add the directive.

That stinks.

 

Published Thursday, June 5, 2003 3:23 PM by kevindente

Comments

# re: Disabling request validation in ASP.NET@ Thursday, June 5, 2003 6:48 PM

Hi Kevin,

Each version of ASP.NET (and the overall .NET Framework) has its own Machine.config file. These settings run independently of each other (in other words a V1 app won't see the settings of the V1.1 machine.config).

You can fix the problem you mention above by changing the machine.config file of the V1.1 version to either have validateRequest off by default (not recommend) -- or add a <location> directive within the file to just turn it off for a specific application or directory.

Hope this helps,

Scott

scottgu@microsoft.com

# re: Disabling request validation in ASP.NET@ Thursday, June 5, 2003 8:05 PM

This breaks xcopy deployment, doesn't it? This really does break forward compatibility pretty handily.

Am I right in seeing that in code, once the flag has been set to validate the request, it can't ever be un-set? Doh! So no way to fix this in code and still use an .aspx page.

Philip Rieck

# re: Disabling request validation in ASP.NET@ Thursday, June 5, 2003 8:40 PM

Hi, Scott. Thanks for the response. I didn't realize that you could have custom machine.config settings per-application. Interesting tidbit.

However, I'm not sure how much that helps me. The Visual Studio .NET installer stuff doesn't have a way to change machine.config, as far as I know. And even if it did, requiring changes to machine.config is definitely something I'd rather avoid. I'd rather just document the required changes for 1.1.

These kinds of issues cause significant forward compatibility issues between the runtimes. I hope Microsoft will consider this in future versions of the runtime.

Kevin Dente