Control level ValidateRequestMode has no effect

EvilBeer picture EvilBeer · May 13, 2014 · Viewed 10.1k times · Source

I'm using ASP.NET WebForms (.NET 4.5) and have an "content block" control, which is reused on a number of pages. I've tried setting the ValidateRequestMode of the control and even individual elements to "Disabled", but the request validation coming from web.config still prevents unsafe input.

Is there a way around this or am I doing something wrong?

Example:

Answer

Jason Elkin picture Jason Elkin · Feb 5, 2015

I just solved this same problem for a site with the code below, after a morning of trial and error - Microsoft's documentation on the new Request Validation process seems to be wrong when it comes to WebForms.

Target .NET 4.5 in the web.config like this:

<httpRuntime targetFramework="4.5" requestValidationMode="4.5" />

And then adding ValidateRequestMode="Disabled"to the input controls themselves i.e.:

<asp:textbox id="myControl" runat="server" ValidateRequestMode="Disabled"/>

If you are accessing POST data directly (as opposed to via myControl.Text) You will also need to bypass validation at that point:

Request.Unvalidated.Form("myControl");