A potentially dangerous request.form value was detected from the client Error in MVC C#


I was following the article of adding rich text editor as explained here (How to use Rich text editor (CKEditor) in MVC), but when I am submitting CKEditor data to the controller, I am getting this error 

A potentially dangerous Request.Form value was detected from the client

a-potentially-dangerous-request-form-was-detected-from-the-client-min.png

How can I solve It? And why I got this error?

Thank you


Asked by:- jon
1
: 8938 At:- 6/5/2018 11:53:29 AM
C# ASP.NET MVC CKEditor in MVC







3 Answers
profileImage Answered by:- Sam

Reason:

"A potentially dangerous request.form value was detected...."This error occurs in ASP.NET MVC web-application, when you are trying to submit a form which has input textbox or textarea with HTML contents in it.

This behaviour of application is by default as ASP.NET implements a validation check on all input so that our web application has a basic protection from XSS attacks.

Resolution:

If you want to submit form data with HTML contents, here are the ways to resolve this issue:

  1. Using [AllowHTML] (recommended way)
    You can allow Model property to attach HTML contents using [AllowHTML] attribute fot it, suppose you want to submit form data with HTML in "Description", then in your Model you can use C# code as below
    [AllowHtml]
    public string Description { get; set; }?
  2. Another way is to use [ValidateInput(false)] attribute in your Controller's ActionMethod
    [HttpPost]
    [ValidateInput(false)]
    public ActionResult SaveDataWithHTML(ClassName cn) {
        //save data here
    }?

    it will disable the validation by ASP.Net MVC  only for the above particular Action method, it can be useful when you have multiple Model attributes which allows HTML content.

  3. There is another easy way is to disable this validation process. This can be done by setting the below properties in the Web.config file.
    <configuration> 
      <system.web> 
        <pages validateRequest="false" /> 
      </system.web> 
    </configuration>?

    In .NET 4.0, you would have to change one more property.

     <system.web> 
        <pages validateRequest="false" />  
        <httpRuntime requestValidationMode="2.0"/>
      </system.web> 
    Note: pages validateRequest="false" opens your web page to Cross Site Injection (XSS) attacks. Use Server.HtmlEncode or some AntiXSS libarary functions in your C# code to prevent any XSS attack.

Any of the above solution should help you, to get rid of the error, also, I have seen the above mentioned article also, they have already asked to disable validate request to submit form data with CKEditor using the 2nd method which I have told you above.

2
At:- 6/5/2018 3:18:38 PM Updated at:- 9/26/2022 8:40:08 AM
Excellent answer, thank you 0
By : jon - at :- 6/6/2018 10:07:52 AM


profileImage Answered by:- bhanu

If you want to resolve this issue in ASP.NET web-Forms, page wide, you can use the below code in Web.Config

<configuration>

  <location path="YourFolder/.aspx">
    <system.web>
      <pages validateRequest="false" />
      <httpRuntime requestValidationMode="2.0" />
    </system.web>
  </location>

</configuration>

Above code will allow you to use markup as input for specific pages instead of the whole site by putting it all in a <location> element.

OR

Using asp:Textbox control (Asp.net 4.5), instead of setting the all page for validateRequest="false" you can use

<asp:TextBox runat="server" ID="mainTextBox" ValidateRequestMode="Disabled"></asp:TextBox>

on the textbox only

In ASP.NET MVC

You can exclude specific input field from checking HTML input, as below

[HttpPost, ValidateInput(true, Exclude = "ExcludeYourFieldName")]
public ActionResult SaveFormValues(int id, FormCollection collection)
{
    //your code here
}
1
At:- 5/7/2021 11:24:48 AM


profileImage Answered by:- vikas_jk

In Controller, you can also try below code for unvalidated values

HttpRequestBase request = controllerContext.HttpContext.Request;
string re = request.Unvalidated.Form.Get("YourKey");

so, if you have already created request.form in C# code

Replace all instances of Request.Params.AllKeys with Request.Unvalidated.Form.AllKeys and all instances of Request[key] with Request.Unvalidated.Form[key].

0
At:- 6/27/2022 12:53:59 PM






Login/Register to answer
Or
Register directly by posting answer/details

Full Name *

Email *




By posting your answer you agree on privacy policy & terms of use