Copied to clipboard
  • Mike 43 karma points
    Aug 06, 2010 @ 10:52
    Mike
    0

    "A potentially dangerous Request.Form value was detected" when updating content with HTML tags

    I have recently installed umbraco v 4.0.4.2 after suffering a lot of problems with the latest versions not loading the tree nodes within the admin section.

    After a couple of days of trying to install the CMS I finally managed to get Umbraco working locally on Windows XP with WebMatrix. However, I have stumbled upon the following problem when attempting to add content that contains any HTML tags.

    A potentially dangerous Request.Form value was detected from the client (ctl00$body$pageContent="<a href="null">Test<...").

    Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. To allow pages to override application request validation settings, set the requestValidationMode attribute in the httpRuntime configuration section to requestValidationMode="2.0". Example: <httpRuntime requestValidationMode="2.0" />. After setting this value, you can then disable request validation by setting validateRequest="false" in the Page directive or in the <pages> configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. For more information, see http://go.microsoft.com/fwlink/?LinkId=153133.

    Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (ctl00$body$pageContent="<a href="null">Test<...").

    Here is the stack trace for the error:

    [HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (ctl00$body$pageContent="Test<a href="http://"></...").]
    System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +8730676
    System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, RequestValidationSource requestCollection) +122
    System.Web.HttpRequest.get_Form() +114
    System.Web.HttpRequest.get_HasForm() +8896047
    System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull) +97
    System.Web.UI.Page.DeterminePostBackMode() +69
    System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +8431
    System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +253
    System.Web.UI.Page.ProcessRequest() +78
    System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) +21
    System.Web.UI.Page.ProcessRequest(HttpContext context) +49
    ASP.umbraco_editcontent_aspx.ProcessRequest(HttpContext context) +4
    System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +100
    System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75

    After searching on Google and trying some of the methods, from adding a tag to disable request validation to changing my web.config file. The problem still persists and as such it makes using Umbraco unfeasible.

    Can anyone help with this problem?

  • Arjan H.202 karma points
    Aug 06, 2010 @ 11:06
    Arjan H.
    0

    You can either put this in your template:

    <umbraco:DisableRequestValidation runat="server"/>

    Or this in your usercontrol's codebehind:

    protected void Page_Init(object sender, EventArgs e)
    {
        try
        {
            ((umbraco.UmbracoDefault)this.Page).ValidateRequest = false;
        }
        catch { }
    }

    But make sure to clean up the input before you process it.

  • Mike43 karma points
    Aug 06, 2010 @ 11:10
    Mike
    0

    I've tried adding the first line in both my Master template and within the editContent.aspx page and it didn't change anything, as well as changing debugging to true and adding a similar line in my web.config file, but I haven't tried the codebehind as I don't know where to find it. Which file do I need to add/edit to do this?

    EDIT: After searching around I found this video about adding .NET user controls. Is this what I need to do for my master template?

  • Arjan H.202 karma points
    Aug 06, 2010 @ 11:23
    Arjan H.
    0

    I'm not entirely sure what you're trying to do. The video explains how to add and use custom .NET user controls in Umbraco. But you're having issues with saving HTML in the backend, right? Can you explain exactly what you're doing (maybe add some screenshots)?

  • Mike43 karma points
    Aug 06, 2010 @ 11:28
    Mike
    0

    Sorry, I think I've needlessly made it seem more complicated than it actually it. To put it short, I cannot add HTML to any content pages because it throws a ASP.NET error. Here's an example of what I'm trying to do; if I add simple text it works fine, but the second I add a HTML tag the error in the first page is thrown.

    http://imgur.com/LsUkm.jpg

  • Arjan H.202 karma points
    Aug 06, 2010 @ 11:42
    Arjan H.
    0

    I have no experience with WebMatrix, but I did find this:

    http://learn.iis.net/page.aspx/872/webmatrix-beta-release-readme/#Known_Issues_ASPNET

    You did mention you were trying to disable request validation in the web.config, but it doesn't say exactly what you did.

  • Mike43 karma points
    Aug 06, 2010 @ 11:45
    Mike
    0

    That worked perfectly, thank you very much!

    For anyone else suffering from the same problem, I had changed validateRequest="false" in both my page directives and web.config files and it had no effect, but <httpRuntime requestValidationMode="2.0" /> worked perfectly and now I can add HTML to my content.

    Thanks again!

  • Arjan H.202 karma points
    Aug 06, 2010 @ 11:47
    Arjan H.
    0

    Glad I could help!

  • Cheryl22 karma points
    Jan 06, 2012 @ 17:40
    Cheryl
    0

    Hi Im having the same problem Where do I enter the code <httpRuntime requestValidationMode="2.0" />

     

    thanks

  • Sivard24 karma points
    Jan 12, 2012 @ 22:49
    Sivard
    1

    in the web.config, place it inside the node <system.web> if it's not there already.

     

  • Cheryl22 karma points
    Jan 15, 2012 @ 13:24
    Cheryl
    0

    Hi thanks for your help, this is all very new to me, I have added this code to the web.config and I dont get an error.  I save the changes to a page and it says saved but all the changes I make really do not save.

    All I added was the <httpRuntime requestValidationMode="2.0" /> code

    Not sure where to add the other bits validateRequest="false"

    Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. To allow pages to override application request validation settings, set the requestValidationMode attribute in the httpRuntime configuration section to requestValidationMode="2.0". Example: <httpRuntime requestValidationMode="2.0" />. After setting this value, you can then disable request validation by setting validateRequest="false" in the Page directive or in the <pages> configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. For more information, see http://go.microsoft.com/fwlink/?LinkId=153133.           ;

Please Sign in or register to post replies

Write your reply to:

Draft
Our.umbraco.org is the community mothership for Umbraco, the open source asp.net cms. With a friendly forum for all your questions, a comprehensive documentation and a ton of packages from the community.