Disabling request validation in ASP.NET Web Pages

Disabling request validation in ASP.NET Web Pages

If you are developing ASP.NET Web Pages (not Web Forms or MVC) and you need to allow users to submit HTML or HTML-like content in input boxes you will find that the methods to avoid the A potentially dangerous Request.Form value was detected from the client error that work for ASP.NET Web Pages and MVC don't work for ASP.NET Web Pages.

For Web Pages you need to change the way you retrieve the submitted data and use the Request.Unvalidated() method.

These are the methods for retrieving submitted values and how you should change them to allow HTML data:

Request["key"] //will not allow HTML
Request.Unvalidated("key") //will allow HTML

Request.Form["key"] //will not allow HTML
Request.Unvalidated().Form["key"] //will allow HTML

Request.QueryString["key"] //will not allow HTML
Request.Unvalidated().QueryString["key"] //will allow HTML

If you are using ASP.NET Web Forms you can make a change in the web.config and/or indivudual pages to allow HTML values to be submitted.

On the individual page level you can add validateRequest="false" to your <@ Page ... %> directive in your .aspx file(s).

If targetting .NET framework 4 you will also need to add <httpRuntime requestValidationMode="2.0" /> to the system.web section of the web.config file:

You can also disable request validation for all pages by adding <pages validateRequest="false" /> to the system.web section of the web.config file.

eg.

<configuration>
  <system.web>
   <httpRuntime requestValidationMode="2.0" />
   <pages validateRequest="false" />
  </system.web>
</configuration>