requestValidationMode 4.5 vs 2.0

asp.net asp.net-4.5
Paritosh picture Paritosh · May 16, 2013 · Viewed 46.1k times · Source

Is there a difference between requestValidationMode="4.5" and requestValidationMode="2.0"? I have a .net 4.5 application, there is a control which I don't want to validate, as users can enter html tags in:

<asp:TextBox ID="txtTitle" runat="server" ValidateRequestMode="Disabled" />

in my web.config i have:

<compilation debug="true" strict="false" explicit="true" targetFramework="4.5">...</compilation> 
<httpRuntime targetFramework="4.5" requestValidationMode="2.0"  />

initially I have put requestValidationMode="4.5" but that didn't work, I would still get the error about the tags - "A potentially dangerous Request.Form value was detected from the client ..." as soon as would submit the form. However if I set it to requestValidationMode="2.0" it works, i'm able to hit the PageLoad and encode the value from that field.

Answer

chris_dotnet picture chris_dotnet · May 16, 2013

Yes there is a difference between the two. Anything requestValidationMode specified as 4.0 or above will use the 4.0 way and any requestValidationMode specified as below 4.0 will use the 2.0 way. Below is a description of the two:

http://msdn.microsoft.com/en-us/library/system.web.configuration.httpruntimesection.requestvalidationmode.aspx

4.0 (the default). The HttpRequest object internally sets a flag that indicates that request validation should be triggered whenever any HTTP request data is accessed. This guarantees that the request validation is triggered before data such as cookies and URLs are accessed during the request. The request validation settings of the pages element (if any) in the configuration file or of the @ Page directive in an individual page are ignored.

2.0. Request validation is enabled only for pages, not for all HTTP requests. In addition, the request validation settings of the pages element (if any) in the configuration file or of the @ Page directive in an individual page are used to determine which page requests to validate.

As a note: There are other solutions, since you are using asp.net 4.5 you may want to look it to validating on a per control level, that way you can leave the requestValidationMode property in the web.config at 4.5 and only change it on controls that need it. http://msdn.microsoft.com/en-us/library/system.web.ui.control.validaterequestmode.aspx

Related questions

Failed to load viewstate. The control tree into which viewstate is being loaded

I am receiving the following error message after an HTTP POST on an ASP.NET form hosted inside a UserControl: Failed to load viewstate. The control tree into which viewstate is being loaded must match the control tree that was …

Read More
User.Identity.IsAuthenticated is false after successful login

I need to get the UserId Guid directly after a successful login. The following code doesn't work: if (Membership.ValidateUser(txtUsername.Value, txtPassword.Value)) { FormsAuthentication.SignOut(); FormsAuthentication.SetAuthCookie(txtUsername.Value, true); if (HttpContext.Current.User.Identity.IsAuthenticated) { // doesn't run Guid …

Read More
Build ASP.NET 4.5 without Visual Studio on Build Server

Its been a while since I setup a Build Server so maybe I've forgotten something or maybe .NET 4.5 is different from whatever version I did this with last time, but here is my problem. I'm trying to setup a build …

Read More