a potentially dangerous request form value was detected from the client

a potentially dangerous request form value was detected from the client  using -'c#,jquery,asp.net,architecture,postback'

I have this issue. I have tried everything. ValidateRequest="false".. and decoding and encoding html.. etc. etc..

What I need is a popup box (so im using ModalPopupExtender) to present to a user where people can type in xml settings and click ok/cancel button to close the popup and save.

However i keep on getting this error "A potentially dangerous Request.Form value was detected from the client"..

Here is my test code below (quick example of my scenario and error)..

<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="WebForm1.aspx.cs" Inherits="WebApplication1.WebForm1"
    ValidateRequest="false" %>

<%@ Register Assembly="AjaxControlToolkit" Namespace="AjaxControlToolkit" TagPrefix="cc1" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <form id="form1" runat="server">
    <asp:ScriptManager ID="ScriptManager1" runat="server">
        <asp:Panel ID="Popup" runat="server" Width="800px" Style="display: none;">
            <asp:LinkButton ID="Display" runat="server" Style="display: none;" OnClick="Display_Click" />
            <cc1:ModalPopupExtender ID="ModalPopupExtender" runat="server" TargetControlID="Display"
                PopupControlID="Popup" DropShadow="false" Y="10" />
            <div id="Item">
                <div class="Item">
                    <table width="100%">
                                <textarea id="txtAreaValue" cols="35" rows="6" style="resize: none;" runat="server" />
                                <asp:Button ID="btnOk" Text="Ok" SkinID="default" Width="50px" runat="server" />
                                <asp:Button ID="btnCancel" Text="Cancel" SkinID="default" Width="50px" OnClick="BtnCancel_Click"
                                    runat="server" />

Code Behind:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;

namespace WebApplication1
    public partial class WebForm1 : System.Web.UI.Page
        protected void Page_Load(object sender, EventArgs e)
            string str = "<?xml version=\"1.0\" encoding=\"utf-8\"?><XmlConfig xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"> <XmlConfig Type=\"TEST\" DefiningXpath=\"/PERSON/NAME\"><Index Name=\"Name\" XPath=\"/PERSON/NAME/VALUE\" Type=\"String\" /><Index Name=\"Id\" XPath=\"/PERSON/NAME/ID\" Type=\"String\" /> </XmlConfig></XmlConfig>";

            txtAreaValue.InnerText = str;

        protected void Display_Click(object sender, EventArgs e)
            //Shows the Item detail Edit box

        protected void BtnCancel_Click(object sender, EventArgs e)

To run the code.. Add ref to AjaxControltoolkit.dll and then run and you will see the textarea being populated with xml. Click on the cancel button and this causes the error. Please can anyone help me?

asked Sep 29, 2015 by suyesh.lokhande
0 votes

6 Answers

0 votes


in your web.config (keeping any attributes you already have on that element, if it's already there). ASP.NET4.0 ignores ValidateRequest otherwise.

And, of course, do make sure that you take necessary measures to protect against genuinely dangerous requests, now that it's not being done for you.

Edit: A great way of doing this is to create your own class derived from RequestValidator, and using the 4.0 behaviour, but with that as the class that does the checking.

answered Sep 29, 2015 by rolvyrf
0 votes

Here are possible solution which may help you. Make server side configuration setting for this. If you want to allow HTML element as input from selected pages in your project than you set this page attribute.

<%@ Page ValidateRequest="false" %>

This ValidateRequest="false" on each page. If you want in all pages in you project than make changes in Web.Config file. Add this tag In section.

If you are using .Net 4.0 than you have to make one more change in Web.Config file. Add this tag In section.

Here are configuration for do not validate request for all pages in .Net 4.0


Here is full example on this. Click Here...

answered Sep 29, 2015 by dahiyabecomp
0 votes

Well, people are talking about Asp.net 4.0 only... I guess we need to address other versions too. Today, I had the same problem when I replaced my AjaxToolkit editor with TinyMCE and with the postback I found the same issue.

"A potentially dangerous Request.Form value was detected from the client"..

So I used this line inside my webconfig and it worked for me.


It should work across Asp.net 2.0 to 3.5.

UPDATE: Even works upto .net 4.5

UPDATE: You can also try to validate the request on page level rather whole website. Just wanted to let the readers to choose the best way. Thanks DVD for pointing this out.

answered Sep 29, 2015 by vimaldas2005
0 votes

There are 3 options to remove this error.

  1. Set validateRequest="false" in page directives.
  2. Set validateRequest="false" in web.config file.
  3. Set requestValidationMode="2.0" in web.config if you are using DotNet 4.0

Checkout this link for more info.

answered Sep 29, 2015 by dhananjayksharma
0 votes

"A potentially dangerous Request.Form value was detected from the client"..

1) set httpRuntime requestValidationMode="2.0" requestPathInvalidCharacters="<,>,\" in web.config file

2) set validateRequest="false" in side pages tag in web.config file


answered Sep 29, 2015 by sumit_jaiswalmca
0 votes

I faced this same problem while sending some email templates from aspx page to code behind....

So I tried to solve this by adding


in my web config under enter code here` but that did not helped me unless I putted


attrribute in the page directive of the aspx page.

answered Sep 29, 2015 by mannumits1