When I trying to send form containing value with xml, I get HttpRequestValidationException:

A potentially dangerous Request.Form value was detected from the client

All approaches I found:

  1. <%@ Page ValidateRequest="false" %> in .aspx-file.
  2. <pages validateRequest="false" /> in web.config.
  3. [ValidateInput(false)] on controller's action.

don't help me.

Hope for any advice.

50 accepted

This is a documented breaking change in ASP.NET 4. See this whitepaper for more information. In short, add this in your system.web section of ~\Web.config:

<httpRuntime requestValidationMode="2.0" />

And remember to put [ValidateInput(false)] on controllers / actions you don't want to go through validation.


I Applied all the above but still I'm getting the same error.I'm using asp.net web forms 4.0


Is there any way to handle this without go back to 2.0?


Same problem using UrlEncoding for a search url. Server.UrlEncoding() adds plus (+) sign to string spaces. Strangely works, with the same settings on my local IIS (on Windows 7 X64). The server is Windows 2008 x64 with IIS 7.0.


I have included the line in my web.config file but still see the validation error for ASP.NET4 web forms.


The problem I had was that I was linking to a file that had a special character in the name, i.e. "&". Once I removed the & it worked fine. I guess look for special characters.


Does it matter where exactly I paste this line:

<httpRuntime requestValidationMode="2.0" />

If it does, where should it be?