Home > Uncategorized > ASP.NET 4 Breaking Changes #1: requestValidationMode cause ValidateRequest=False to fail

ASP.NET 4 Breaking Changes #1: requestValidationMode cause ValidateRequest=False to fail

The request validation feature in ASP.NET provides a certain level of default protection against cross-site scripting (XSS) attacks. In previous versions of ASP.NET, request validation was enabled by default. However, it applied only to ASP.NET pages (.aspx files and their class files) and only when those pages were executing.

In ASP.NET 4, by default, request validation is enabled for all requests, because it is enabled before the BeginRequest phase of an HTTP request. As a result, request validation applies to requests for all ASP.NET resources, not just .aspx page requests. This includes requests such as Web service calls and custom HTTP handlers. Request validation is also active when custom HTTP modules are reading the contents of an HTTP request.

As a result, request validation errors might now occur for requests that previously did not trigger errors. To revert to the behavior of the ASP.NET 2.0 request validation feature, add the following setting in the Web.config file: <httpRuntime requestValidationMode=”2.0″ />


Because this is now in the BeginRequest phase of a HTTP request, pages with validationRequest=”false”  will still get the dreaded message. The only way is to

  1. Set requestValidationMode=”2.0″ in which case the page setting will apply
  2. Ignore requestValidationMode setting and create your own requestvalidator and change your web.config to use the custom validator (Click here to view how to do it)
Categories: Uncategorized
  1. April 25, 2010 at 4:01 pm

    thanks for the info

  2. May 2, 2010 at 3:53 pm

    In ASP.NET MVC this is an issue as [ValidateInput(false)] has no more effect …

  3. June 14, 2010 at 12:04 am

    yes but where?

    • VenomZ302
      August 12, 2010 at 5:25 am

      You put it in the web.config like so:

      • VenomZ302
        August 12, 2010 at 5:26 am

        [compilation debug=”true” targetFramework=”4.0″ /]
        [httpRuntime requestValidationMode=”2.0″ /]

        ] = >
        [ = <

      • kwanann
        August 12, 2010 at 6:18 am

        Well that’s if you wish to go back to the old mode. the new method gives you the capability to check it against your logic. so it all depends on your needs

  4. Ivan
    February 2, 2013 at 1:55 am

    Saludos para Windows 8 ya no es necesario esa validacion?

  5. ivan
    February 2, 2013 at 2:10 am

    help? windows 8

    Error de configuración
    Descripción: Error durante el procesamiento de un archivo de configuración requerido para dar servicio a esta solicitud. Revise los detalles de error específicos siguientes y modifique el archivo de configuración en consecuencia.

    Mensaje de error del analizador: Atributo ‘RequestValidationMode’ no reconocido. Tenga en cuenta que en los nombres de atributo se distinguen mayúsculas y minúsculas.

    Error de código fuente:

    Línea 2:
    Línea 3:
    Línea 4:
    Línea 5:
    Línea 6:

    Información de versión: Versión de Microsoft .NET Framework:2.0.50727.6400; Versión ASP.NET:2.0.50727.6387

    • February 14, 2013 at 7:32 am

      Hi, for .net2 there is no request validationmode, it is available only for .net 4 onwards

  6. January 25, 2016 at 6:48 pm

    This change only seems to be activated when a http module is added to IIS – don’t suppose you have any idea why that might be? The application pool is already set to v4.0, but perhaps that is ignored until something needs it?

    More details: http://serverfault.com/questions/751053/what-behaviours-are-triggered-by-adding-a-module-to-iis

    • January 27, 2016 at 6:51 am

      Not so, it will appear once you use v4 RequestValidationMode.

      You can try it out by simply removing the module and see if the same error occurs

      at the moment, you can change it to v2 or else use your own custom validation handler (which is the preferred method)

  1. June 24, 2011 at 4:45 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: