ron ron - 24 days ago 9
ASP.NET (C#) Question

What are the security implications of using ValidateRequest="false" to circumvent "A potentially dangerous Request.Form value was detected"?

I got the following message :


A potentially dangerous Request.Form value was detected from the
client


When trying to save the value
$
.

I looked at some common answers over the web and they suggested to use
ValidateRequest="false"
at the head of the .ASPX file.

Is it a good solution from the security point of view? Isn't a security risk?

Answer Source

To expand on CodeCaster's comment, this is definitely a dangerous thing to do. You're allowing users to enter information which means that a savvy user will now be able to play around with your site internals.

Cross-site scripting

If the value is being posted to some news feed or something else, allowing free-form input could mean injecting javascript into your feeds that will execute against other users of the site and open them up to attack. This could be as simple as injecting ads onto your site or even redirecting them to another attack page which will make you look pretty bad.