.NET validateRequest causing you grief

Page Title:

The Problem
Being the security experts that they are, Microsoft is attempting to save you from yourself by providing some built in request validation in .NET. What this means is that if you have a form that has user input fields and someone types in something evil like HTML 3.0 code into it, you'll get an exciting error message telling you this isn't allowed. The idea here is of course to try and keep people from doing things like cross site scripting (XSS) on your poorly designed web site.

If you're just doing a standard little form, say a contact us form or a user info form or the likes, this is probably good news. It may save you a lot of time not having to manually add in validation checks for all your fields, resting assured that MS has it covered for you. However, if you're the type the likes to empower your web users and allow them to use things like the ever popular (rightfully so) FCKeditor to do a little WYSIWYG rich text formatting, you're going to need to allow them to submit some HTML tags in their text.

The solution
There are two ways to turn this handy feature off on your site. You can either use a site-wide setting in your web.config or use validateRequest="false" in your @Page directive. In my opinion, I'd go with the latter as it gives you more control on a page by page basis so you don't go turning off validation willy-nilly and forgetting to manually validate some obscure page along the way.

Relevant Tags: ASP.NET | Security