Introducing a new ValidateRequest feature in .NET Framework 4.5 for WebForms

As you know, ValidateRequest is a security feature which has been available since .NET Framework 2.0 in WebForms.

This feature prevents users from entering html content in input fields to keep the application away from different kind of XSS injection attacks. That means we will see an error like below if a html style tag is entered inside an input field and then the form is submitted to the server.

A potentially dangerous Request.Form value was detected from the client (TextBox1="<b>content</b>").

But sometimes there is a need to enable user entering raw html contents into the input fields. In these situations we used to go to the page directive and disable this security feature only for this page by setting ValidateRequest="false".

<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Test2.aspx.cs" Inherits="WebTest2012.Test2"
 ValidateRequest="false" %>

In which case this feature will be off for only this page and user can enter everything inside the form fields.


Before going any further I have to mention, developers never ever have to rely only on this feature as a final security check point for the application. The input data has to be sanitized in all over the application before any usage! This feature has to be considered as a lightweight extra layer of defense, offered by ASP.NET out of the box.

The mentioned solution works fine for a light weight page with a few input controls. But if the page is heavy or there are a lot of usercontrols which are dynamically loaded into the page, that means we have disabled this security feature for all of them!

Fortunately in .NET Framework 4.5 there is an ability to only turn off this feature for specific controls. For this purpose we should go to the web.config the set requestValidationMode="4.5".

<httpRuntime targetFramework="4.5requestValidationMode="4.5" />

Now we can use ValidateRequestMode properties of the controls to turn request validation off for only selected controls. The values for this property can be Disabled, Enabled, and Inherit.

<asp:TextBox runat="server" ID="TextBox1" ValidateRequestMode="Disabled"></asp:TextBox>

So there is no need to turn ValidateRequest off in the Page directive and only selected controls can accept html content, so the line below works fine.

var content = TextBox1.Text;

But there is another point here. If we try to get the content by Request.Form, we will still get an error as the same as earlier. Here a new added feature to the framework comes into play. We can use new Unvalidated  property of the HttpRequest class. This feature by passes the request validation for a http request.

var content = Request.Unvalidated.Form[TextBox1.ID];

Unvalidated feature is not limited to the Form collection and can be used for other input mechanisms as is shown below.



1 Comment

  • This is a great new feature in 4.5, but the problem is that using OutputCache caching some UserControl will access request.[form|querystring|etc etc] which will break ValidationRequest.

Comments have been disabled for this content.