Disabling ASP.NET Request Validation (for just one page) in a .NET 3.5 project hosted on IIS 7.5 with only .NET 4.0 installed
I'm having a problem with request validation in ASP.NET webforms that I am fairly sure is down to me hosting a .NET 3.5 project on IIS 7.5 (Windows 7 - local development machine).
Essentially I'm receiving a postback from an external site (that is entirely outside of my control) and receiving the following exception:
A potentially dangerous Request.QueryString value was detected from the client (DATA="<IDP MSGTYPE="Authen...").
I've got this set in the page declaration:
<%@ page language="C#" autoeventwireup="true" inherits="postexternal" enableviewstate="false" masterpagefile="~/SiteBase/transactional.master" Codebehind="postexternal.aspx.cs" validaterequest="false" %>
(and additionally I've tried turning it off in web.config/page as well - to no avail.
I think that this may be to do with a breaking change made in (what MS say) ASP.NET 4.0, as described here: http://www.asp.net/learn/whitepapers/aspnet4/breaking-changes#0.1__Toc256770147
But if I add that configuration into my web.config I get a configuration error (as its running in a .NET 2.0 application pool).
Whichever way I look I'm stuck at the moment so would appreciate any pointers/advice people have. Is there anyway I can work around this any other way?). I could try to install .NET 2.0 but I'm not sure that is even going to work (and seems a pretty fragile method to try).
Thanks.
Answer
I had this issue too and adding this to the web.config resolved the issue.
<httpRuntime requestPathInvalidCharacters="" />
By Default, .Net 4.0 rejects all requests with <>*%&:\? characters which may be causing the issue for you like it was for me.
[ConfigurationProperty("requestPathInvalidCharacters", DefaultValue=@"<,>,*,%,&,:,\,?")]
public string RequestPathInvalidCharacters { get; set; }