Sunday, 5 June 2011

A potentially dangerous Request.Form value

A potentially dangerous Request.Form value was detected from the client (spanContent="...          <span><p>

I think you are attacking it from the wrong angle by trying to encode all posted data.Note that a "<" could also come from other outside sources, like a database field, a configuration, a file, a feed and so on. Furthermore, "<" is not inherently dangerous, its only dangerous in a specific context: when writing unencoded strings to HTML output (because of XSS). In other contexts different substrings are dangerous, e.g. if you write an user-provided URL into a link, the substring "javascript:" may be dangerous. The single quote character on the other hand is dangerous when interpolating strings in SQL queries, but perfectly safe if it is a part of a name submitted from a form or read from a database field.

 validateRequest="false"

 <httpRuntime requestValidationMode="2.0" />