I am experiencing an issue with a web app that is frequently spewing out the following style error with just a single aspx page:
Browser: IE
Url Referrer: redacted
User Host 1.1.1.1
User Host Name: 1.1.1.1
Last Error: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (ctl11$lbl="...na Redacte w..."). at System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName) at System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName) at System.Web.HttpRequest.get_Form() at System.Web.HttpRequest.get_HasForm() at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull) at System.Web.UI.Page.DeterminePostBackMode() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest() at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) at System.Web.UI.Page.ProcessRequest(HttpContext context) at ASP.pages_front_closingques_default_aspx.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Stack Trace: at System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName) at System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName) at System.Web.HttpRequest.get_Form() at System.Web.HttpRequest.get_HasForm() at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull) at System.Web.UI.Page.DeterminePostBackMode() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest() at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) at System.Web.UI.Page.ProcessRequest(HttpContext context) at ASP.pages_front_closingques_default_aspx.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Source: System.Web
Message: A potentially dangerous Request.Form value was detected from the client (ctl11$lbl="...na Redacte w...").
Normally, I would suspect that the user must have done something dumb like put an HTML tag in there, but this happens frequently and no HTML tags are reported in the email.
I know that I can turn off ValidateRequest using the RequestValidation="false" Page directive, but that is also undesirable because I want some validation, just not over-sensitive validation.
Is there some way I can override the default implementation of ValidateRequest? Has anybody run into ValidateRequest erroneously producing errors before? Finally, does anybody know what the implementation of ValidateRequest even looks like?
Since you say that the false positives are coming from just the one page, I would keep the site level web.config setting enabled, and disable the page level validation for just this page.
Then you need to take responsibility for user input on the page: