Home/ Questions/Q 228381
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-11T19:40:39+00:00

We have an ASP.NET web forms application which occasionally generates a validation error like

  • 0

We have an ASP.NET web forms application which occasionally generates a validation error like below.
What can be the reason for this?

A validation error has occurred.

Exception type: System.Web.HttpRequestValidationException

Exception message: A potentially dangerous Request.QueryString value 
    was detected from the client 
    (_TSM_CombinedScripts_="...          </div>              ...").

Request URL: https://...:443/Default.aspx?_TSM_HiddenField_=
    ctl00_sm1_HiddenField&_TSM_CombinedScripts_=
    %3b%3bAjaxControlToolkit%2c+Version%3d3.5.11119.20050%2c
    +Culture%3dneutral%2c
    +PublicKeyToken%3d28f01b0e8%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20
    %20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20
    </div>%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20<div%20class=

Stack trace: at System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName)
   at System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName)
   at System.Web.HttpRequest.get_QueryString()
   at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull)
   at System.Web.UI.Page.DeterminePostBackMode()
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest()
   at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context)
   at System.Web.UI.Page.ProcessRequest(HttpContext context)
   at ASP.user_default_aspx.ProcessRequest(HttpContext context)
   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

More details:

I do not think it is a ‘malicious’ request, but is due to some incorrect handling of this script link. If so, how to handle that?

The following script block is in the generated html source for the page in question:

<script src="/Default.aspx?_TSM_HiddenField_=
ctl00_sm1_HiddenField&_TSM_CombinedScripts_=
%3b%3bAjaxControlToolkit%2c+Version%3d3.5.11119.20050%2c
+Culture%3dneutral%2c
+PublicKeyToken%3d28f01c0e84b6d53e%3aen%3a7e147239-dd05-47b0-7fb3-
f743a139f982%3be2e86bf9%3a1aa13a87%3a8ccd9c1b%3a9ea3f0e2%3a9e7e87e9
%3a4c9865be%3aba594826%3ac4c00916%3a630bb7c2%3af442e939"
type="text/javascript"></script>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    ASP.NET does not allow any HTML (basically a list of potentially dangerous values) in a Querystring or Form field value by default. This is set by the @Page directive’s ValidateRequest attribute (true by default).

    You could turn the feature off, but it will open you up to XSS attacks. The better method is to make sure that all your querystrings are properly URL-encoded.

    In your case, it appears to be the </div> tag that is causing the problem. If this querystring is being created via Javascript, I would suggest the use of the encodeURIComponent() function to encode values.

    • 0