UGTS Document #61 - Last Modified: 8/29/2015 3:23 PM
ASP.NET has some 'secure by default' behavior which lead to obscure errors and workarounds:
- Form Validation - By default, ASP.NET will validate all user input for potentially dangerous
character sequences containing HTML tags to avoid XSS (Cross Site Scripting) attacks. This means that
users cannot paste HTML sequences into form input, or an exception will be generated.
This is good if you haven't yet ensured that your code is safe against XSS attacks, but if
you are sure you are not vulnerable, and you want users to be able to submit HTML through your form,
then you will need to turn off this default behaviour.
In ASP.NET 4.x, this can be done a number of ways. The most common way is to edit the
web.config file to set the validation mode to ASP.NET 2.x, and then turn validation off globally
for the whole website. To do this, add the following tags or values to the web.config file:
Here is an article describing
why Microsoft adopted this request validation model in ASP.NET 4.x.