Disabling page validation in Episerver 6

Vote:
 

In Episerver 6.1.379.0, .Net 4.5 is validating an xform that has a '<' charater in the input and throwing the error:>

A potentially dangerous Request.Form value was detected from the client

The Episerver knowledge base describes disabling validateRequest in http://world.episerver.com/kb/10443/.

My question, there a risk in disabling this at the .NET level or does Episerver appropriately guard against these attacks since the knowledge base very casually suggests doing this to fix the issue?

#181530
Aug 23, 2017 14:05
Vote:
 

If you have XForms on only a few page types you could just add ValidateRequest="false" to the ASPX page directive for those templates.

XForm rendering and submission code will probably be just fine but of course you add a little risk for vulnerbilities for places where you output form values in site's own templates.

I usually have validateRequest on unless site has features where HTML is posted by forms. Users shouldn't post HTML chars otherwise.

#182022
Sep 07, 2017 22:01
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.