ValidateRequest=”false” in ASP.NET 4

If you are someone like me who have recently upgrade to ASP.NET 4.0, you may have come across Yellow Screen of Death with Http Request Validation Exception, something like:

“A potentially dangerous Request.Form value was detected from the client”


Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client
Surprisingly, you will still see this exception even if you have set ValidateRequest to false in either the Page Tag or Web.Config.
ValidateRequest="false" or  <pages validateRequest="false" />
This may end you being freak out identifying the problem.
The solution is perhaps very simple. I would recommend to go and read ASP.NET 4 Breaking Changes.
“In ASP.NET 4, by default, request validation is enabled for all requests, because it is enabled before the BeginRequest phase of an HTTP request. As a result, request validation applies to requests for all ASP.NET resources, not just .aspx page requests. This includes requests such as Web service calls and custom HTTP handlers. Request validation is also active when custom HTTP modules are reading the contents of an HTTP request.and therefore request validation errors might now occur for requests that previously did not trigger errors.”
In order to revert to the behavior we had previously, you need to add the following setting in Web.config file:
<httpRuntime requestValidationMode="2.0"/>
And this should work!
Hope this helps!
  • Nice one, first result in Google, you beat Stack Overflow 😉

    Another real world example is if you have a CMS that needs to allow trusted users to directly enter HTML markup.

  • Anonymous

    Thank you

  • When you add it gives unrecognized element error.