I found that request validation did not work on my PC, which meant that it behaves differently with our web servers. After some experiments, it seems that Glimpse is the reason (the version with Glimpse has not yet gone live, so the servers are working fine).
eg. this malicious url:
http://website/?foo=<script>
... should cause the following error:
The potentially dangerous Request.QueryString value was detected by the client (foo = "<script>").
However, as soon as Glimpse is registered in the "modules" section of web.config, the request is not checked ( even if Glimpse is disabled ), leaving the site open for cross-site scripting attacks (XSS).
If I delete the line that Glimpse registers, then checking the request immediately works fine: In in IIS 7.5 it looks like this:
<system.webServer>
<modules>
<add name="Glimpse" type="Glimpse.AspNet.HttpModule, Glimpse.AspNet" preCondition="integratedMode" />
</modules>
Is there a way to fix this, or is it a bug in Glimpse?
Update 1:
Now I checked that the problem occurs if I do a new installation of Glimpse in an unrelated project (ASP.NET 4.5.1 works), so this is not incompatible with the original project. I did not change any settings, I just installed it from NuGet, and the problem was immediately obvious.
I also noticed that I looked in by installing <glimpse defaultRuntimePolicy="Off" />in Web.config, then request validation also starts as usual.