Precompile all site still gets the error message “a potentially dangerous request.querystring value was detected from the client”

Question

0.00/5 (No votes)

See more:

I did search and read so many posts talk about the error message "A potentially dangerous request.querystring value was detected from the client". But, I believe my problem is totally different.

In my web.config file, I already defined two keys below:

HTML

<httpRuntime requestValidationMode="2.0" />
<pages validateRequest="false" />

So, if I publish my project (asp.net webform) without using Precompile option, everything will work smoothly as my expected.

However, if I publish my project with Precompile option (precompile all site), the error above will always occur when I submit a form.

The submit form is so simple, it contains one input text control and one submit button. And my input text was

<script>alert(1)</script>

So, my question is why this issue happens with precompile publish build? Any advice for me?

What I have tried:

Put two keys below in web.config does not solve the problem.

<httpRuntime requestValidationMode="2.0" />
<pages validateRequest="false" />

Posted 6-Jun-18 16:28pm

nkphuc700

Updated 6-Jun-18 22:44pm

Add a Solution

Comments

Richard Deeming 7-Jun-18 11:15am

This thread from 2010[^] suggests that the validateRequest setting is ignored when you precompile the site, unless you also select the "Allow this precompiled site to be updatable" option.

If you need to access the request data without triggering the validation, use the Request.Unvalidated collections. NB: This could leave your site vulnerable to XSS unless you properly encode any values read from these collections before you display them.

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Jochen Arndt · Answer 1 · 2018-06-06T22:45:00

Solution 1

You are passing HTML containing a script tag from your form. Such is potentially dangerous. The goal is not to get rid of the error message by setting some options but to avoid that such dangerous data is passed.

This can be done by encoding the data upon submission and decoding before processing. The common method is to use the HttpServerUtility.HtmlEncode Method (String) (System.Web)[^]. But see also ScottGu's Blog - New <%: %> Syntax for HTML Encoding Output in ASP.NET 4 (and ASP.NET MVC 2)[^].

Posted 6-Jun-18 22:45pm

Jochen Arndt

Comments

nkphuc700 8-Jun-18 0:22am

HtmlEncode() already applied in my code.

But, the error only happens with the publish build using precompile. While it works normally with the publish build without using precompile.

Jochen Arndt 8-Jun-18 2:36am

"HtmlEncode() already applied in my code"

How could I know? You did not mentioned it in your question.

For the precompiled problem:
See Richards comment.