A potentially dangerous Request.QueryString value was detected from the client when sending html markup from jquery post call to asp.net page

Question

I m making an ajax call using jQuery to an ASP.NET page which acts as my ajax server page to save the data which i am sending to it in the query string. In the ASP.NET page when i am trying to read the querystring i am getting this error:

A potentially dangerous Request.QueryString value was detected from the client...

I have set the ValidateRequest="false" in my page. Dont want to set it for all the pages. So did it in page level instead of config level:

  var content = "<h3>Sample header</h3><p>sample para</p>"
  content = encodeURIComponent(content);
  var url = "../Lib/ajaxhandler.aspx?mode=savecontent&page=home&ltxt=" + content;

     $.post(url, function (data) { 
       //check return value and do something
   });

and in my asp.net page:

 <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="ajaxhandler.aspx.cs" ValidateRequest="false" Inherits="MyProject.Lib.ajaxhandler" %>

But when i am sending plain text instead of the html markup, it works fine.

Answer 1

If this is ASP.NET 4, there was a breaking change with ValidateRequest. See this StackOverflow question for more information on requestValidationMode.

Answer 2

There's already a good answer for this, and here i'll provide the information so that you don't have to click through links.

When running ASP.NET 4.0, you will need to set the following in your web.config file RequestValidationMode="2.0".

What is this property for?

A value that indicates which ASP.NET version-specific approach to validation will be used. The default is 4.0.

So what are the possible values?

• 4.0 (the default). The HttpRequest object internally sets a flag that indicates that request validation should be triggered whenever any
  HTTP request data is accessed. This guarantees that the request
  validation is triggered before data such as cookies and URLs are
  accessed during the request. The request validation settings of the
  pages element (if any) in the configuration file or of the @ Page
  directive in an individual page are ignored.

• 2.0. Request validation is enabled only for pages, not for all HTTP requests. In addition, the request validation settings of the pages element (if any) in the configuration file or of the @ Page directive in an individual page are used to determine which page requests to validate.

Information citated from this msdn site.

Answer 3

If you want to add a custom validation logic for one particular ASP.NET page or for one or more query string parameters without setting ValidateRequest="false" for entire page - the following "hacky" solution could be useful:

public partial class MyPage : System.Web.UI.Page
{
    private string SomeUnvalidatedValue { get; set; }

    public override void ProcessRequest(HttpContext context)
    {
        var queryString = context.Request.QueryString;

        var readOnly = queryString.GetType().GetProperty("IsReadOnly",
            System.Reflection.BindingFlags.Instance | System.Reflection.BindingFlags.NonPublic);

        readOnly.SetValue(queryString, false);

        var unvalidatedValue = context.Request.Unvalidated.QueryString["SomeKey"];
        // for RequestValidationMode="2.0"
        //var unvalidatedValue = context.Request.QueryString["SomeKey"];

        // custom logic goes here

        // you could store unvalidated value here and then remove it from the query string
        SomeUnvalidatedValue = unvalidatedValue;
        queryString["SomeKey"] = string.Empty;
        // or just remove all "potentially dangerous" symbols, for example
        if (!string.IsNullOrEmpty(unvalidatedValue))
        {
            queryString["SomeKey"] = Regex.Replace(unvalidatedValue,
                "(\\<+[a-z!/\\?])|(&\\#)", new MatchEvaluator((m) =>
                {
                    return m.Value.Replace("<", string.Empty).Replace("&#", string.Empty);
                }), RegexOptions.IgnoreCase);
        }

        readOnly.SetValue(queryString, true);

        // keep other request validation logic as is
        base.ProcessRequest(context);
    }
}

The regular expression made as result of this ASP.NET method analyzing: CrossSiteScriptingValidation.IsDangerousString

Code tested with .NET 4.5.2, IIS integrated mode, with and without RequestValidationMode="2.0".

Answer 4

I've created a couple reusable methods based on VAV's answer

   public static string ExtractUnvalidatedValue(HttpRequest request, string key)
        {
            var unvalidatedValue =  HttpUtility.UrlDecode(request.Unvalidated.QueryString[key]);
            // for RequestValidationMode="2.0"
            //var unvalidatedValue = context.Request.QueryString["SomeKey"];

          // remove all "potentially dangerous" symbols
            return ReplacePotentiallyDangerousSymbols(unvalidatedValue, string.Empty);
        }

    public static string ReplacePotentiallyDangerousSymbols(string unvalidatedValue, string valueToReplace="")
        {
            if (!string.IsNullOrEmpty(unvalidatedValue))
            {
                //The regular expression made as result of this ASP.NET method analyzing: CrossSiteScriptingValidation.IsDangerousString http://referencesource.microsoft.com/#System.Web/CrossSiteScriptingValidation.cs,3c599cea73c5293b
                unvalidatedValue = Regex.Replace(unvalidatedValue,
                    "(\\<+[a-z!/\\?])|(&\\#)",
                    new MatchEvaluator((m) => { return m.Value.Replace("<", valueToReplace).Replace("&#", valueToReplace); }), RegexOptions.IgnoreCase);
            }
            return unvalidatedValue;
        }

Answer 5

set ValidateRequest="false" on the top of the asp page.