Microsoft KB Archive/821343

= You receive an error message when you deploy an ASP.NET 1.0 application on a server with ASP.NET 1.1 =

Article ID: 821343

Article Last Modified on 5/18/2007

-

APPLIES TO


 * Microsoft ASP.NET 1.1

-





SYMPTOMS
When you deploy a Microsoft ASP.NET 1.0 Web application on a server with the Microsoft .NET Framework version 1.1 installed, you receive the following error message if unencoded input is submitted :

A potentially dangerous Request.Form value was detected from the client



CAUSE
When the .NET Framework 1.1 is installed on a computer, the default value of the validateRequest attribute is true. When the value of validateRequest is set to true, request validation is performed and an exception is thrown if the input has potentially dangerous values.

The new request validation feature in ASP.NET 1.1 proactively prevents attacks from dangerous values. It does not allow the server to process unencoded HTML content unless you decide to allow the content. The request validation feature is designed to help prevent some script-injection attacks where client script code or HTML can be unknowingly submitted to a server, can be stored, and then can be presented to other users.



RESOLUTION
The request validation feature of ASP.NET 1.1 prevents the server from accepting content that contains unencoded HTML. You can disable request validation by setting the validateRequest attribute to false in the @ Page directive or in the configuration section.

Disable Request Validation on a Page
To disable request validation on a page, you must set the validateRequest attribute of the @ Page directive to false: <%@ Page validateRequest=&quot;false&quot; %> Note When request validation is disabled, content is submitted to a page. The page developer must make sure that the content is correctly encoded or is correctly processed.

Disable Request Validation for Your Application
To disable request validation for your application, you must modify or create a Web.config file for your application and then set the validateRequest attribute of the  section to false:    If you want to disable request validation for all applications on your server, you can make this change to your Machine.config file.

Note When request validation is disabled, content is submitted to your application. The application developer must make sure that the content is correctly encoded or is correctly processed.

HTML Encode the Content
When request validation is disabled, you must HTML encode the content to prevent possible attacks by unencoded HTML content.

If you have disabled request validation, it is good practice to HTML encode content that will be stored for future use. HTML encoding automatically replaces any &quot;<&quot; or &quot;>&quot; characters (and several other symbols) with their corresponding HTML encoded representation.

You can easily HTML encode content on the server by using the Server.HtmlEncode method. You can also easily HTML decode content. HTML decoding reverts HTML-encoded content back to standard HTML. To do this, use the Server.HtmlDecode method.

Use the following code:

Microsoft Visual Basic. NET Code
<%@ Page Language=&quot;vb&quot; validateRequet=&quot;false&quot; %>   WebForm2  Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) ' Set the label to the HTMLEnoded value of TextBox. Label1.Text = Server.HtmlEncode(TextBox1.Text) End Sub     Label </asp:Label> <asp:TextBox id=&quot;TextBox1&quot; style=&quot;Z-INDEX: 103; LEFT: 248px; POSITION: absolute; TOP: 122px&quot; runat=&quot;server&quot;> </asp:TextBox> </HTML>

Microsoft Visual C# .NET Code
<%@ Page Language=&quot;c#&quot; validateRequet=&quot;false&quot; %> <HTML>  WebForm2 <script runat=&quot;server&quot;> private void Button1_Click(object sender, System.EventArgs e)     { // Set the label to the HTMLEnoded value of TextBox. Label1.Text = Server.HtmlEncode(TextBox1.Text); }  </HEAD> <form id=&quot;Form1&quot; method=&quot;post&quot; runat=&quot;server&quot;>  </asp:Button> <asp:Label id=&quot;Label1&quot; style=&quot;Z-INDEX: 102; LEFT: 403px; POSITION: absolute; TOP: 171px&quot; runat=&quot;server&quot;>Label </asp:Label> <asp:TextBox id=&quot;TextBox1&quot; style=&quot;Z-INDEX: 103; LEFT: 248px; POSITION: absolute; TOP: 122px&quot; runat=&quot;server&quot;> </asp:TextBox> </HTML>

<div class="status_section">

STATUS
This behavior is by design.

<div class="moreinformation_section">

Steps to Reproduce the Behavior
<ol> <li>Start Microsoft Visual Studio .NET.</li> <li>Create a new ASP.NET 1.0 Web application by using Visual C# .NET or Visual Basic .NET. By default, WebForm1.aspx is created.</li> <li>Add a Button control, aTextBox control, and a Label control to WebForm1.aspx.</li> <li>Right-click WebForm1.aspx, and then click View HTML Source.</li> <li> Replace the existing code with the following code:

Visual Basic .NET Code <%@ Page Language=&quot;vb&quot; %> <HTML>  WebForm2 <script runat=&quot;server&quot;> Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Label1.Text = TextBox1.Text End Sub </HEAD> <form id=&quot;Form1&quot; method=&quot;post&quot; runat=&quot;server&quot;>  </asp:Button> <asp:Label id=&quot;Label1&quot; style=&quot;Z-INDEX: 102; LEFT: 403px; POSITION: absolute; TOP: 171px&quot; runat=&quot;server&quot;>Label </asp:Label> <asp:TextBox id=&quot;TextBox1&quot; style=&quot;Z-INDEX: 103; LEFT: 248px; POSITION: absolute; TOP: 122px&quot; runat=&quot;server&quot;> </asp:TextBox> </HTML> Visual C# .NET Code <%@ Page Language=&quot;c#&quot; %> <HTML>  WebForm2 <script runat=&quot;server&quot;> private void Button1_Click(object sender, System.EventArgs e)     { Label1.Text = TextBox1.Text; }  </HEAD> <form id=&quot;Form1&quot; method=&quot;post&quot; runat=&quot;server&quot;>  </asp:Button> <asp:Label id=&quot;Label1&quot; style=&quot;Z-INDEX: 102; LEFT: 403px; POSITION: absolute; TOP: 171px&quot; runat=&quot;server&quot;>Label </asp:Label> <asp:TextBox id=&quot;TextBox1&quot; style=&quot;Z-INDEX: 103; LEFT: 248px; POSITION: absolute; TOP: 122px&quot; runat=&quot;server&quot;> </asp:TextBox> </HTML> </li> <li>On the Debug menu, click Start to run the application.</li> <li>Type the following text in the text box:

alert(&quot;cross-site script test!&quot;)

</li> <li>Click Button, and notice that the script is permitted to be posted back without encoded HTML. The message box appears.</li> <li>Deploy the same code on a server with the .NET Framework version 1.1 installed. You receive the error message that is mentioned in the &quot;Symptoms&quot; section of this article.</li></ol>

<div class="references_section">