HTML Input and Input Validation through ValidateRequest in ASP.Net
When we input some html text in a TextArea or TextBox and post it to the server we will get the following error.
A potentially dangerous Request.Form value was detected from the client.
This is because; By default, every request to ASP.Net is validated for Cross Site Scripting attack. To allow users to enter HTML text, we can either set validateRequest=false in the Page directive or in the configuration section. When we set this attribute to false, we need to ensure explicitly that the input is safe through our code. To ensure, we need to encode the input through HtmlEncode() method in HttpUtility class. Refer the below code.
It is better to set this attribute in Page attribute wherever required. Setting this in Web.Config will disable request validation for the whole site.
We can also disable the request validation for a set of pages inside a folder in the website through the <location> tag.
<!-- For HTML Comments -->
The location element should be placed outside of the <system.web> element.