Disabling page validation in Episerver 6


In Episerver 6.1.379.0, .Net 4.5 is validating an xform that has a '<' charater in the input and throwing the error:>

A potentially dangerous Request.Form value was detected from the client

The Episerver knowledge base describes disabling validateRequest in http://world.episerver.com/kb/10443/.

My question, there a risk in disabling this at the .NET level or does Episerver appropriately guard against these attacks since the knowledge base very casually suggests doing this to fix the issue?

Aug 23, 2017 14:05

If you have XForms on only a few page types you could just add ValidateRequest="false" to the ASPX page directive for those templates.

XForm rendering and submission code will probably be just fine but of course you add a little risk for vulnerbilities for places where you output form values in site's own templates.

I usually have validateRequest on unless site has features where HTML is posted by forms. Users shouldn't post HTML chars otherwise.

Sep 07, 2017 22:01
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.