Exception message: A potentially dangerous Request.Form value was detected from the client

A recent requirement was to transfer XML documents via HTTP Post on the dotNET 2.0 platform. I had set up the “application” to receive the XML stream and save the data as a file (Sample codes demonstrates reading location from config and saving the stream; content validation not shown).
protected void Page_Load(object sender, EventArgs e)
            using (System.IO.StreamReader reader = new System.IO.StreamReader(Request.InputStream))
                String xmldata = reader.ReadToEnd();
                Response.ContentType = "text/xml";
                Response.Write(String.Format("Bytes received: {0}", xmldata.Length));

                string myConfigValue = WebConfigurationManager.AppSettings["DropOffFolder"];
                if (System.IO.Directory.Exists(myConfigValue))
                    Guid g = new Guid();
                    g = Guid.NewGuid();
                    string filename = myConfigValue + g.ToString() + ".xml";
                    using (StreamWriter sw = new StreamWriter(filename))
                    { sw.Write(xmldata); }

                Response.ContentEncoding = System.Text.Encoding.UTF8;


During testing I had sent successfully exchanged text data. However, when I tried to send XML data I received a 500 response error from the server, which is very generic.  I reviewed the event log on the server to see if IIS logged any messages and noticed the following warning:
Exception information:
    Exception type: HttpRequestValidationException
    Exception message: A potentially dangerous Request.Form value was detected from the client.


The server was validating the data stream, which is uuencoded HTML. To bypass this particular validation I added  ValidateRequest=”false to the page directive. The ValidateRequest attribute checks for potentially dangerous input data that could compromise the security of your application or a scripting attack.


Note:  When ValidateRequest is disabled, content can be submitted to your application; it is the responsibility of the application developer to ensure that content is properly encoded or processed.

Another way to process the data, without having to disable validation, would be to encode and decode it using Server.HtmlEncode(string) and Server.HtmlDecode(string).

Leave a Comment