ValidateRequest = "false" acts strange
(ASP.NET 4.0 C #)
I have <httpRuntime requestValidationMode="2.0" /> in webconfig. And also I have validateRequest="false" in the page directories.
On one page, I send some data (html) from ckeditor (textarea) to the database. Works great. On another page, I populate ckeditor with data from the database, then update it (send it back), and I get the famous "potentially dangerous Request.Form value was detected by the client."
I am very confused. The only difference is that on the second page the data is dynamically inserted into the text field, where on the first page the text field is empty on pageload. Did I miss something? Im pretty sure encoding / decoding doesn't mean anything, as the infrastructure stops it before I can even start messing with it on the server.
Well, I did not find the answer why it behaves as it is. But I found a very simple and quick way (+ new benefits).
Theres the guy who made .net ckeditor control
http://cksource.com/forums/viewtopic.php?f=11&t=15882
I go there. It works like a charm. No validation errors ever.
Try setting ValidateRequest to false in the page directive? A better option would be to use the Microsoft Anti-Cross Site scripting library:
http://msdn.microsoft.com/en-us/library/aa973813.aspx
This question has been answered:
What is the difference between requestValidationMode 2.0 and 4.0
It is also possible that either ASP.NET 4.0 is not installed or the application pool is not installed in 4.0.
ValidationRequest = "false" applies only to .aspx files in previous versions of the framework.
In ASP.NET 4, it is enabled for all requests up to the BeginRequest stage of any HTTP request. Therefore, request validation applies to requests for all ASP.NET resources, such as web service calls and custom HTTP handlers.
To get around this new mechanism, you need to create your own RequestValidator and modify web.config to use this custom validator.
http://msdn.microsoft.com/en-us/library/system.web.util.requestvalidator.aspx