.NET Tutorials, Forums, Interview Questions And Answers
Welcome :Guest
Sign In
Win Surprise Gifts!!!

Top 5 Contributors of the Month
Gaurav Pal
Post New Web Links

HttpContext.Session A potentially dangerous Request.QueryString value was detected from the client

Posted By:      Posted Date: September 29, 2010    Points: 0   Category :ASP.Net

I have an ashx handler that was working fine in VS2008 but when I upgraded to VS2010 (haven't gone back to VS2008 to double check though) and when I try to grab the value from HttpContext.Request.Params["update"] I get the following error:

+ ex {"A potentially dangerous Request.QueryString value was detected from the client (update=\"<SETIProducts><Produ...\")."} System.Exception {System.Web.HttpRequestValidationException}

"A potentially dangerous Request.QueryString value was detected from the client (update=\"<SETIProducts><Produ...\")."} System.Exception {System.Web.HttpRequestValidationException}

I've read that I can set the validateRequest to false, but I was wondering about the impacts and looking for any other suggestions. 

I know very little about security when it comes to web programming but I thought I should mention that my handler will be running on a internal file server but transmitting data to/from an eCommerce platfo

View Complete Post

More Related Resource Links

Error:A potentially dangerous Request.QueryString value was detected from the client




I am creating the web application using c# in which i got a situation like this.


When I pass the Querystring as


I'm getting the following error. I need to  Trap this error by  redirecting  to a page say 'Access Denied.aspx' when the user types this query string.

And I dont want to disable request validation by setting validateRequest=false in the page directive.

Server Error in '/root' Application.

A potentially dangerous Request.Form value was detected from the client


I know this has been discussed already but my problem isn't the error itself. My problem is I am including [ValidateInput(false)] above my ActionResult and I still receive this error when I click submit. Is there something somewhere else overriding this command?

Here is what the code looks like.

[Authorize(Roles = "Administrator")]
        public ActionResult Create(FormCollection Form)

[Authorize(Roles = "Administrator")]



A potentially dangerous Request.Form value was detected from the client



i have a form that use can insert some text in textbox

if user insert <..> page return an error like

A potentially dangerous Request.Form value was detected from the client 

the problem is i need to user inter some html code that's because i change the code in web.config file

<pages validateRequest="false"

URGENT!!, A potentially dangerous Request.Form value was detected from the client



I get mails about an unhandled error has occurred:
Message: A Potentially Dangerous Request.Form value was detected from the client (ctl00 $ default master content $ txtCustomerMessage ="... ???????? <a href = "http://aovo ...").

 Stack Trace:
   at System.Web.HttpRequest.ValidateString (String s, String Value name, String collection name)
   at System.Web.HttpRequest.ValidateNameValueCollection (name value collection nvc, String collection name)
   at System.Web.HttpRequest.get_Form ()
   at System.Web.HttpRequest.get_HasForm ()
   at System.Web.UI.Page.GetCollectionBasedOnMethod (Boolean dontReturnNull)
   at System.Web.UI.Page.DeterminePostBackMode ()
   at System.Web.UI.Page.ProcessRequestMain (Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest (Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.AsyncPageProcessRequestBeforeAsyncPointCancellableCallback (Object state)
   at System.Web.HttpContext.InvokeCancellableCallback (wait callback callback, Object state)
   at System.Web.UI.Page.AsyncPageBeginProcessRequest (HttpC

A potentially dangerous Request.Path value was detected from the client (?).


I am using Webhandler to upload images to the server. I want to send the folder name so on that folder the images will save. I am using this URI format and got the below error.

A potentially dangerous Request.Form value was detected from the client


I am getting the above error when I am trying to save a value '<TS1'. I did the search and came to know it is about html injection. So I entered ValidateRequest="false" on top of the page and in the code behind file I have the following code.

Protected Sub fvAddCompass_ItemInserting(ByVal sender As Object, ByVal e As System.Web.UI.WebControls.FormViewInsertEventArgs) Handles fvAddCompass.ItemInserting

Dim strProvided A

A potentially dangerous Request.Form value was detected from the client


We have a DOT.NET app that we paste info into. Sometimes the text contains characters which seem to offend dot.net. So the application breaks. How we intecept these breaks and then decide for ourselves if the content is really "potentially dangerous" or not?

The same string even breaks this "post a new message".

A potentially dangerous Request.Form value was detected from the client


i have 2 aspx files
1) 1.aspx - collects info from the user, stores into the DB.
2) 2.aspx - collects info from the DB and displays back to the user

in 2.aspx, i am encoding(htmlencode,urlencode.....) and displaying the info. so srcipt is displayed as text but not executed. -- expected result.
in 1.aspx, i am collecting info from textboxes and store in DB,i am getting below exception when clicked on save button.
"A potentially dangerous Request.Form value was detected from the client ...".

how do i fix it?
guys please dont tell me to turn off validaterequest.i want that to be turned ON, for security reasons.

also i want to validate the input before storing into the DB.so that my DB holds verified and trusted data(not malicious).

any help would be highly appreciated.

A potentially dangerous Request.Form value was detected from the client in


Hi All, I have a MVC application and I am using a rich text box control in a textarea control. I have bind the page with the Model and fetching the data from the class properties. here is the textarea control to use the Text Editor


Potentially dangerous script....blah blah


explain this one - -   (please)

2 projects - same code - one, using 2008, one using 2010 - a textbox a button and a label, using html code in the textbox

In the Page Directive:
EnableEventValidation="false" ValidateRequest="false&q

How to implement custom HttpContext for each request under class that implements IHTTPHandler


Hello All,

I created an application and implemented IHTTPHandler for all incoming request ending with ".aspx" extension.

Under "ProcessRequest" module, I am creating an instance of HttpContext (with URL attributes different from my application's URL i.e. if I am working on localhost then speciying Yahoo.com as its URL) and assigning it to "context" which comes as method argument.

After redirection, an error is generated. Also, the custom HTTPContext is not passed to the requested page (default.aspx, in my case.)

Code is as follows.

    Public Sub ProcessRequest(ByVal context As System.Web.HttpContext) Implements System.Web.IHttpHandler.ProcessRequest
            Dim requestedUrl As String
            Dim targetUrl As String
            Dim urlLength As Integer
            'Save settings which will be used while redirecting to appropriate page
            requestedUrl = context.Request.RawUrl
            If requestedUrl.IndexOf("?") >= 0 Then
                targetUrl = requestedUrl.Substring(0, requestedUrl.IndexOf("?"))
                targetUrl = requestedUrl
            End If
            If targetUrl = Nothing Or targetUrl.Length = 0 Then
                targetUrl = requestedUrl
            End If

Good news for those of you who get "Unable to make the session state request to the session state se


Dear all,

Due to the known problem of session variables getting lost if using InProc-server during frequent changes in development, I had to choose between SQL and ASP.NET State server, so I opted for the second. Initially, all fine, but after using it for a few days, I started to get this error:

 Server Error in '/cv2' Application.
Unable to make the session state request to the session state server. Please ensure that the ASP.NET State service is started and that the client and server ports are the same.  If the server is on a remote machine, please ensure that it accepts remote requests by checking the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspnet_state\Parameters\AllowRemoteConnection.  If the server is on the local machine, and if the before mentioned registry value does not exist or is set to 0, then the state server connection string must use either 'localhost' or '' as the server name.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Web.HttpException: Unable to make the session state request to the session state server. Please ensure that the ASP.NET State service is started and that the clie

question regarding request.querystring


I have a url like this:

http://www.somepage.com/main.aspx.  In this page, when I click on a link it takes me to a page http://www.somepage.com/cental.aspx?cid=200.  So in the cental.aspx.cs page I did the following in the page load:


if(request.querystring["comp"].tostring() != null)


//do some thing


So I got an error like: object reference not set to an instance of reference.


My problem is, I am using the same page.  So when I go from some page, I will have "comp".  but other times not.  So when there is no "comp", how do I handle it in request.querystring?


Request.Querystring and UrlDecoding


(asp.net 2.0, c#)


I have a page requesting a qyerystring looking like this ?test=b%E4st, %E4 is the url-encoded letter ä. I can't change how this looks and encodes since I have no access to the page doing the request.

string strTest = Request.Querystring["test"].ToString();

If I then, for instance, just Response.Write(strTest) the character ä (%E4) is broken. Displayed as a question mark. I have in my web.config the requestEncoding and responseEncoding set to utf-8. That is the way I need to have it, and I can't change that.

I've looked around for a solutions for this and the issue seems to be iso-8859-1 vs utf-8 in the querystring and url-decoding. It seems the Request.Querystring automatically url-decodes the string using the default encoding, in my case utf-8. I need it to url-decode using iso-8859-1 instead. I can achieve this by altering the web.config, but as I said earlier this is not an option.

I have tried to do this:

Encoding enc = Encoding.GetEncoding(28591);
string strTest= Request.QueryString["test"];
strTest= HttpUtility.UrlDecode(strTest, enc);

Not working, since the Request.QueryString already has url-decoded the value using utf-8.

Can I somehow override the requestEncoding in the web.config? Or is the any other way of doing this?

How to bind a WCF Http client to a specific outbound IPAddress before making the request

I want my request to go out through a specific IP Addresses. Is there a way to do that in WCF. The explanation of why I need this is a little long winded so i'd rather not get into that. Here is sample code string ipAddress = ""; IService service; ChannelFactory<IOmlService> factory = new ChannelFactory<IService>(new BasicHttpBinding(), new EndpointAddress("http://" + IPAddress + ":6996/IService")); service = factory.CreateChannel(); service.Test(); Here is an example scenario to explain exactly what i'm looking for. Let's say I have two IPs on my machine ( and Both of them can hit If i run this code now, it will hit the IP (.32) from any of my IPs (.30 or .31). How can i force it to go through a specific IP of mine (say .30). Is there any way to do that using WCF? Thanks

Need help in reading Soap request and response on invoking WCF client assembly

Hi All,   I'm new to WCF and i'm using .Net 3.5. I have created a library from the proxy class generated through svcutil. I'm able to succesfully invoke service methods. I was wondering how to capture the request and response soap xmls so that i could render it on browser. If you have any code piece for this kind of problem please share it with me. Regards, Rahul

HTTPContext.Current.Session losing the variable sporatically

I have noticed a strange behaviour in my ASP.net 2.0 application. I have some logic in my aspx page that accesses some Session variables fine, then accesses some app_code and most of the time the HTTPContext.Current.Session returns the variable back fine.  However, I have noticed that sometimes this Session returns null, like it has lost it's "pointer" to the current HTTPContext. Is this a known bug, has anyone seen something like this before?   Any help would be appreciated, thanks, Mark. 
ASP.NetWindows Application  .NET Framework  C#  VB.Net  ADO.Net  
Sql Server  SharePoint  Silverlight  Others  All   

Hall of Fame    Twitter   Terms of Service    Privacy Policy    Contact Us    Archives   Tell A Friend