UGTS Document #61 - Last Modified: 8/29/2015 3:23 PM
ASP.NET Quirks

ASP.NET has some 'secure by default' behavior which lead to obscure errors and workarounds:
  • Form Validation - By default, ASP.NET will validate all user input for potentially dangerous character sequences containing HTML tags to avoid XSS (Cross Site Scripting) attacks. This means that users cannot paste HTML sequences into form input, or an exception will be generated.

    This is good if you haven't yet ensured that your code is safe against XSS attacks, but if you are sure you are not vulnerable, and you want users to be able to submit HTML through your form, then you will need to turn off this default behaviour.

    In ASP.NET 4.x, this can be done a number of ways. The most common way is to edit the web.config file to set the validation mode to ASP.NET 2.x, and then turn validation off globally for the whole website. To do this, add the following tags or values to the web.config file:

    <configuration>
      <system.web>
        <httpRuntime requestValidationMode="2.0"/>
        <pages validateRequest="false"/>
      </system.web>
    </configuration>

    Here is an article describing why Microsoft adopted this request validation model in ASP.NET 4.x.