Strange problem: Fix for "A potentially dangerous Request.Form" causes "Runtime Error"

Hi all, 

I am a DNN/ASP.NET newbie trying to get a DNN site running with a hosted server (WebHost4life). I have read all of the posts, googled and queried references (DNN FAQ, ...) concerning the "A potentially dangerous Request.Form" error when editing module content and using HTML/Rich Text. I tried both of the following changes to the web.config file and each caused an odd error:
<pages enableViewStateMac="true" validateRequest="false" />
<validateRequest="false" />
The error is as follows, and occurs whenever the site URL is accessed, not just when module content is being edited:
Server Error in '/donovan/mobiliq' Application.
Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.
Details: To enable the details of this specific error message to be viewable on remote machines, please create a <customErrors> tag within a "web.config" configuration file located in the root directory of the current web application. This <customErrors> tag should then have its "mode" attribute set to "Off".

<!-- Web.Config Configuration File -->
<customErrors mode="Off"/>

The strange thing is that <customErrors mode="Off"/> is already set in web.config, so I am at a loss as to why I am not receiving error details.
So, it appears that the published "fix" for the "... potentially dangerous Request.Form" issue breaks the website.
The site is DotNetNuke_1[1].0.10d and is hosted on webHost4Life, which is running Windows Server2003 with .NET Framework 1.1.
Any suggestions are appreciated. Thanks,
Donovan Dillon.
1/3/2004 8:00:50 PM 25171 articles. 0 followers. Follow

7 Replies

Similar Articles

[PageSpeed] 54


<pages enableViewStateMac="true" validateRequest="false" />
<validateRequest="false" />

is wrong.

<pages enableViewStateMac="true" validateRequest="false" />

Would be correct. The problem is, in this case I expect the program is unable tp parse Web.Config, and so does not know you want to show errors.

Starting with ASP.NET 2.0? Look at:
Programming Microsoft Web Forms
My Blog
1/3/2004 8:08:12 PM
Thanks Douglas.  The problem was caused by a duplicate "<pages enableViewStateMac="true" />" node in the web.config file.
1/4/2004 12:16:24 AM
I'm also having a similar problem; however, I can't find the lines referenced above (did a global search in VS) to make the change.  I'm using DNN v1.0.10d.  Any help will be most appreciated!!!

Here's my error:
Server Error in '/dotnetnuke' Application.
A potentially dangerous Request.Form value was detected from the client (_ctl0:txtContainer="<table cellpadding="...").
Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.
Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (_ctl0:txtContainer="<table cellpadding="...").
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:

[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (_ctl0:txtContainer="<table cellpadding="...").]
System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName) +230
System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName) +99
System.Web.HttpRequest.get_Form() +113
System.Web.UI.Page.GetCollectionBasedOnMethod() +69
System.Web.UI.Page.DeterminePostBackMode() +47
System.Web.UI.Page.ProcessRequestMain() +2106
System.Web.UI.Page.ProcessRequest() +218
System.Web.UI.Page.ProcessRequest(HttpContext context) +18
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute() +179
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +87

1/5/2004 4:53:04 PM
You should have, in the Web.COnfig file a <pages> tag.  Add validateRequest="false", like the following...

<pages enableViewStateMac="true" validateRequest="false" />

Starting with ASP.NET 2.0? Look at:
Programming Microsoft Web Forms
My Blog
1/5/2004 5:03:36 PM
That worked.  Thanks Douglas!
1/5/2004 6:07:42 PM
web.config file is case sensitive change customErrors mode="off" to customerrors mode="off" if that doesn't fix this problem check your machine.config and make sure the custom errors tag matches. 

Also add the previous mentioned pages tag in that same section (system.web) right below the customerrors tag and this should fix all the problems.
1/9/2004 8:19:59 AM
Please ignore the first part of my previous post.  The second part checking the machine.config file was the real task I wanted you to check.  I had my gray cells in another place for a moment. 

1/9/2004 8:23:05 AM

Similar Artilces:

.ALLCOL("%COLUMN%", " ", ", ", ", ")
Do you know anyway for me to exclude a subset of columns returned by this function. We have two columns (rec_user and rec_datetime) which are in all of our tables, but when generating triggers I want automatically generate a script which does not include those two columns but does include all other columns in that table. Bruce I should add that I am using PD Bruce "Bruce Lamb" <> wrote in message > Do you know anyway for me to exclude a subset of columns returned by this > function. ...

Precedence of "where" ("of", "is", "will")?
Nobody on #perl6 today could answer this one. Is: Str | Int where { $_ } the same as: (Str | Int) where { $_ } or: Str | (Int where { $_ }) ? Followup questions, Mr. President: What kind of operators are "where", "of", "is", and "will"? Is there a reason that S03 doesn't list them? What are their precedence(s)? -- Chip Salzenberg - a.k.a. - <> Open Source is not an excuse to write fun code then leave the actual work to others. Chip Salzenberg writes: &...

quotes, quotes, quotes...
I am getting this error and I know what is causing it, but I have no idea how to fix it, any help would be great. The script steps through the /var/log/messages file on a linux server and puts The entries into a mysql database. However when it gets to the 'hlt' line in the messages file it just barfs. The single quotes are freaking it out. I know about quotes but not how to use in this situation. Thanks, Paul Error: May 27 17:53:00 localhost kernel: Checking 'hlt' instruction... OK. <----- doesn't like this in the messages file DBD::mysql::st exec...

What is causing "potentially dangerous Request.Form value" error?
I have a .NET 1.1 web site which has a marquee div on the home page which scrolls news articles. Currently, there is just a single article. The user can click on the headline which links them to the full story. Since this feature was added to the home page, I occasionally get notified of the following error: Error Detail: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (_ctl0:litTicker="<ul><li><a href='Pub..."). I've tried to reproduce the error but without success. The HttpMethod is a PO...

Problem with "isc_service_query" and "isc_info_svc_get_license" +"isc_info_svc_get_licensed_users"
I have problem with getting a correct result from "isc_service_query" when I pass "3A" (Get license and licensed_users), in fact I get an "Unexpected Output buffer value" error when IBX tries to read the license information from the result. From the debugging I have done it seems like I dont get the correct result from Interbase. Looking at the result I see that I get a correct value on "isc_info_svc_get_licensed_users", but the rest of the buffer is filled with zeros where I expect to see 0x33 and information about licenses. I am using...

What is a "Session" and a "Request" ??
Hello,  I'm new to ASP.Net 2.0 , and I still can't understand what is a "Session" and what is a "Request" ??   Thank You the client browser will request a page and the Request object will give you information about what page they are requesting. the session is a statebag where you can store information that will continue to exist after the page has executed.  information can be added to the Session in page A and then read back from the Session in page B.  the session object is unique per user - so one users does not see data stored b...

"To" and "From" missing
When I print emails, the words "To" and "From" are blank, even though the "To" name and "From name (addresser, addressee) do show up. This is not a problem for other users on my system. Suggestions In mailbox right click, view. On the message window, right click and choose print options. Make sure print header is checked. -- Barry Merchant NSC Volunteer SysOp *** no email unless requested please!! *** > In mailbox right click, view. On the message window, right click and > choose print options. Make sure prin...

"Using" or "With"
Hi all Please can someone enlighten to me as regards the difference with the "Using" and "With" statement when accessing data - which is better, what are the limitations and/or any pointers. Many thanks. Regards DaveDavid WinchesterPlease mark as answer if this is the solution.  using gives you the ability to use the connection and it closes the connection directlly after you finish using it. and there is no need to try- cach - finaly. there is no limitation on using USING keywordMuhanad YOUNISMCSD.NETMy Blog || My Photos || LinkedIn I have a dataobject the re...

"-" not "_"
I wrote a SQL statement in the data tab. I wrote a bunch of alaises as example ' word-type ' but when I hit the layout tab it converts the "-" to "_". So now my field name is ' word_type '. Is there any way to prevent this? CardGunner Don' use a hypen ( - ).  It isn't a valid character for column names.   See,289625,sid87_gci1188931,00.html   Here's an excerpt about column names: Letters as defined in the Unicode Standard 2.0 Decimal numbers from either B...

Replacing "\\" with "\"
Hi all I'm getting this value from a CheckBoxList control - a location of file, i have to remove "\\" and replace it with "\" and pass it to Query, how to do it, i tried with Replace, but coud'nt suceed. "\\\\Blaze10xp\\BLZ_SFS_07\\Sample Excel Files\\Excel Files\\report2.xls" thank's in advance - Prakash.C you tried Replace like this? string newstring = oldstring.Replace(@"\\",@"\");Plese, do not forget to click "Mark as Answer" on the post that helped you. Thanx!My blog: Scenes From A Developer Memory yes i tr...

double quote
hello there...  i tried everything of think but not working the way i wanted to be... not sure what i'm missing...i'm generating a <span> in code behind and then using in javascript.... here is what i'm doing code behind: int i=0string _keywordID = "keyword";string _name = row["visit_info_nm"].ToString().Trim(); String _getElementByID = String.Format("<span id='{0}' OnClick = \"document.getElementById('{1}').value='{2}';\">{3}</span><br>", i, _keywordID, _name, _name); here is what it generate : <span id='1' OnClick = \"document.getElementById('keyword')...

replace the "." with a ","
Oi.... I need to build a small programm in ASP.NET and chose to use C# for it.Now i got everything working but there's one little problem.the first textbox is a double. I need to make it so that when someone enters a "." then it gets replaced by a ","any ideas?Ghan  string blah = "";blah = blah.Replace(".", ",");Ryan Ryan OlshanASPInsider | Microsoft MVP, ASP.NEThttp://ryanolshan.comHow to ask a question...

"Me" is better than "You"
Yes I know, strings are frozen. But let me talk about it, I really can't get through the idea of a PC talkin to me. I consider my PC as an extension of myself, not a dumb companion who addresses Me as You. Yes there are times when I get angry with Him while I work and get wrong calculations etc.., but it really is my fault, Me using wrong istructions and eventually wanting to find someone else to blame, but it's Me. And yes, I consider Thunderbird my mail program, reading my mail on my PC as Me. So I personally like to have Me in the header bar as a compact address ...

Using "+" or "||"
Using SQLAnywhere 5.5.04, I've gotten into the habit of using "||" in ISQL to indicate a string concatenation. I needed to paste my SQL statement into the PowerBuilder script painter for some embedded SQL, and PB didn't like the "||" very much at all. I changed it to "+" and it seems to be ok. Do these two operators indicate ~exactly~ the same thing? moin, afaik these two's are not the same! if you're using "||" and any term is NULL then in the resultstring the term will be ignored if you use "+" then the resu...

Web resources about - Strange problem: Fix for "A potentially dangerous Request.Form" causes "Runtime Error" -

Resources last updated: 1/1/2016 11:07:58 AM