Disabling ASP.NET Request Validation (for just one page) in a .NET 3.5 project hosted on IIS 7.5 with only .NET 4.0 installed

Kieran Benton picture Kieran Benton · May 6, 2011 · Viewed 8.5k times · Source

I'm having a problem with request validation in ASP.NET webforms that I am fairly sure is down to me hosting a .NET 3.5 project on IIS 7.5 (Windows 7 - local development machine).

Essentially I'm receiving a postback from an external site (that is entirely outside of my control) and receiving the following exception:

A potentially dangerous Request.QueryString value was detected from the client (DATA="<IDP MSGTYPE="Authen...").

I've got this set in the page declaration:

<%@ page language="C#" autoeventwireup="true" inherits="postexternal" enableviewstate="false" masterpagefile="~/SiteBase/transactional.master" Codebehind="postexternal.aspx.cs" validaterequest="false" %>

(and additionally I've tried turning it off in web.config/page as well - to no avail.

I think that this may be to do with a breaking change made in (what MS say) ASP.NET 4.0, as described here: http://www.asp.net/learn/whitepapers/aspnet4/breaking-changes#0.1__Toc256770147

But if I add that configuration into my web.config I get a configuration error (as its running in a .NET 2.0 application pool).

Whichever way I look I'm stuck at the moment so would appreciate any pointers/advice people have. Is there anyway I can work around this any other way?). I could try to install .NET 2.0 but I'm not sure that is even going to work (and seems a pretty fragile method to try).

Thanks.

Answer

Chad Grant picture Chad Grant · Nov 5, 2011

I had this issue too and adding this to the web.config resolved the issue.

<httpRuntime requestPathInvalidCharacters="" />

By Default, .Net 4.0 rejects all requests with <>*%&:\? characters which may be causing the issue for you like it was for me.

[ConfigurationProperty("requestPathInvalidCharacters", DefaultValue=@"<,>,*,%,&,:,\,?")]
public string RequestPathInvalidCharacters { get; set; }