One of the changes in
asp.net 4.0 that I discovered the hard way last week has to do with request validation. I created a web service with a few methods that allow an application to send email messages using an email marketing service instead of our SMTP server, very simple nothing complex.
The problem
We can call and execute the web methods from our web application without a problem, everything works. However, when we tried to execute one of these web methods where the message's body is a parameter, and we executed it from a browser using query strings we got a request validation exception.
It turns out that in
asp.net 4, request validation is enabled by default for
all requests, because it is enabled before the BeginRequest phase of an HTTP request. Request validation applies to all requests and not only to .aspx page requests, for example, our .asmx web service call.
Because of this, you might see an error like the one shown below, an error you didn't see prior to
asp.net 4 because request validation was enabled by default in previous versions of the framework but it only applied to
asp.net pages (.aspx).
This is the error message:
System.Web.HttpRequestValidationException:
A potentially dangerous Request.QueryString
value was detected from the client
The solution
To turn off request validation in
asp.net 4, you need to add the following to your web.config:
<httpRuntime requestValidationMode="2.0" />
As always, remember to analyze any request validation errors and check for unsafe HTTP inputs to avoid the potential of XSS attacks.