disabling request validation in asp.net 4.0
since .net version 1.1, asp.net has had this annoying feature of displaying an ugly asp.net error page if the user submits a form that .net thinks might contain html. apparently microsoft thought that was better than having web developers who actually know what they’re doing and sanitize user input before sending it to the browser. the only times it’s okay to completely reject user input is when it doesn’t make sense or looks like spam. even in those cases, tell the user why you can’t accept their input, and make sure they still have their original input so they can fix it up rather than enter it all over again from scratch.
the .net request validation will reject the string "<this> is not html" entered in a password field, as well as something that looks even less like html, such as "3<four" (which is actually a reasonably good password). granted you wouldn’t want to send either of those out to the browser in an (x)html document without passing it through something like HttpUtility.HtmlEncode() first since it would invalidate the (x)html. in some cases an attacker can hook up javascript to read passwords and send them to another site so it’s important to sanitize user input, but that doesn’t mean you should reject it like asp.net request validation does.
prior to .net 4.0 you could disable request validation by putting <pages validateRequest="false" /> inside <system.web> in the web.config file. all the documentation said this is not recommended, which in accordance with the points i’ve laid out above is a bad recommendation. using asp.net 4.0 this doesn’t appear to have any effect though, and i expect a lot of decent developers to get reports of “a potentially dangerous request.form value was detected from the client” errors after upgrading to .net 4.0 since most of us probably don’t think to test input that sort of almost looks like it could be html or to test to make sure things we’ve configured to be off haven’t turned themselves back on again.
not only has the old way of disabling request validation been itself disabled, but my searches around the time i first wrote this entry didn’t turn up a way to do it entirely within web.config anymore. the only solution i could find at the time was to create a simple class extending RequestValidator and overriding IsValidRequestString() to say everything is valid; then setting up web.config to use that class. before i get into the details of that, a commenter pointed out (6 months too late for my project) that adding <httpRuntime requestValidationMode="2.0"/> along with <pages validateRequest="false" /> inside <system.web> actually makes it respect the validateRequest="false" part. for historical sake here’s what a class like i used would look like (in c♯):
using System;
class RequestValidatorDisabled : System.Web.Util.RequestValidator {
protected override bool IsValidRequestString(System.Web.HttpContext context, string value, System.Web.Util.RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex) {
validationFailureIndex = -1;
return true;
}
}note you need to set the out parameter as well. it doesn’t appear to have any meaning unless the function returns false so i set it to -1 like string.IndexOf() does when it doesn’t find the value. to hook this up for your entire site using web.config, add (or modify if it’s already there) an httpRuntime element inside system.web and set the requestValidationType attribute to RequestValidatorDisabled, or whatever you named your class. if you put your class inside a namespace, use YourNamespace.RequestValidatorDisabled instead. if you’re using the class code provided above, the line in web.config would look like this:
<httpRuntime requestValidationType="RequestValidatorDisabled" />now get back to coding like a real web developer and handle whatever the user throws at you without asp.net request validation standing in your way.