Hi Scott M,
Thank you for your prompt response. First I'd appologize for
misunderstandin g your problem. Now, I've got that you've got a single page
which want to get rid of the "request validate" provided by ASP.NET,yes?
After reviewing the situation you mentioned in the preceding reply. I
thought that the main problem is that your page is compiled under dotnet
framework1.0 and now the enviroment is 1.1. Since in ASP.NET 1.0 there is
no "request validate" for pages, so all the compiled page class(assembly)
didn't have any infomation for this. But because your deplyment enviroment
is 1.1 version, then the ASP.NET runtime will check the page class for the
"validatereques t" information, but it can't find since nothing is set in
1.0, so the ASP.NET runtime use the default setting in the web.config ,if
no setting in the web.config, then use the default setting in the
machine.config, the default value is requestValidate ="true". Then you will
encountered the requestvalidate exception such as
------------------------------------------------------------------exception
occured--------------------------------
A potentially dangerous Request.Form value was detected from the client
(txtTagContent= "<adfd>").
Description: Request Validation has detected a potentially dangerous client
input value, and processing of the request has been aborted. This value may
indicate an attempt to compromise the security of your application, such as
a cross-site scripting attack. You can disable request validation by
setting validateRequest =false in the Page directive or in the configuration
section. However, it is strongly recommended that your application
explicitly check all inputs in this case.
----------------------------------------------------------------------------
--------------------------------------------
Is the situation I described same as yours? Please let me know if there is
anything different.
If so, here is some of my suggestions:
1. Since the "validateReques t" page attribute could only set for ASP.NET
1.1 's page, do you think it possible that you recompile the page classes
under 1.1 framework?
2. If you it really unconfortable for you to recompile the pages again,
I've another way to workaround this problem. Since the default value of
"validateReques t" can be set in web.config file. We can take advantage of
this feature to set the default value as "false". However, you may think
that it'll cause all the pages having no requestvalidate checking. Yes, but
in ASP.NET web applications there can be more than one web.config files as
long as they are in different folders. So my suggestion is to create a
separate sub folder , and put a certain web.config file particularly for
the subfolder,
For example, my web application's root folder is "MyWebApp", it has some
pages and a web.config file, then, I create another sub folder named
"noncheck" and also provide a web.config file in it. The file structure is
like:
wwwroot/MyWebApp
web.config
...some asp.net pages
/noncheck
singlenocheck.a spx
web.config
the "singlenocheck. aspx" is the page which need no "requestValidat e" check.
Then,in the "MyWebApp" folder's web.config file , we set the
requestvalidate as ture,just add this:
<pages
validateRequest ="true"/>
in the "noncheck" subfolder's web.config file , we set as below:
<?xml version="1.0" encoding="utf-8" ?>
<configuratio n>
<system.web>
<pages
validateRequest ="false"/>
</system.web>
</configuration>
Thus, when we request the pages in the root folder, the ASP.NET runtime
will have the requestvalidate check, and if we request the
"singlenocheck. aspx" in the "noncheck" folder , it will apply the setting
the subfolder's web.config, it won't check the request data.
Please try the preceding suggestions to see whether they help. If you have
any new findings please also let me know. Thanks.
Merry Christmas!!
Steven Cheng
Microsoft Online Support
Get Secure!
www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
