Sep 1, 2003
Input validation in ASP.NET 1.1
ASP.NET 1.1 automatically validates input posted to the server against a list of potentially dangerous strings (the values are hard-coded, unfortunately, it would have been nice to be able to edit this list). For example, by default it prevents the user to submit text that contains "<script>", to protect the site against cross-site scripting attacks. If this default input validation fails, a HttpRequestValidationException exception is thrown. On some occasions, though, you may want to allow the user submit any string input, for example from administration page. To disable the automatic input validation you set to false the ValidateRequest attribute of the @ Page directive, at the top of the page. You can disable the validation for the whole application (although this is not advisable, generally), by setting to false the validateRequest attribute of the <pages> tag in the web.config or machine.config files.