FreeTextBox and 4 request validation

October 17, 2010


In Asp.Net 4 the request validation model has changed (Yet another breaking change). In short, request validation is a security feature of Asp.Net which meant to prevent a user from XSS or script injection attacks. In Asp.Net the behavior of request validation has changed.  Validation of the input is know performed in the BeginRequest stage in the life-cycle .

When we converted out web application to Asp.Net 4, we found out that one of our pages, which uses a control call FreeTextBox, threw a validation exception each time an input was typed and submitted in that control.

FreeTextBox control is used to allow users to create composite text which can be displayed in html – features like font sizes/types, bold, alignment etc… The control actually creates html from the user input and commands.

Asp.Net 4 interprets the generated input from the control as a XSS attack and prevents the page from running.

Doron posted on this subject, but in Asp.Net 4 there is no page directive for the mode of the request validation.

The immediate solution was to change the request validation model to run in Asp.Net 2.0 runtime. The change is quite simple. Simply add the following line to the web.config, under the system.web node:

   1: <httpRuntime requestValidationMode="2.0" />

If your page is in a folder you can create a web.config file their and put this line so the request validation in 2.0 mode will work only on the pages in that folder (so the other pages in the app can use the 4.0 mode).

In the long run we plan to upgrade the control (which is pretty old) to a newer version (impossible now due to an upgrade to the FreeTextBox site) or to replace it with RadEditor control from the RadControls suite, which from initial tests doesn’t have this problem.

More on that soon…

Add comment
facebook linkedin twitter email

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>



  1. RyanDecember 30, 2010 ב 20:10

    Great post, saved me a lot of headache. Thanks!

  2. shivaMarch 11, 2011 ב 14:58

    where to add this code in step by step
    and the location where to add this code

  3. ysaMarch 12, 2011 ב 20:50

    httpRuntime section sits under the system.web section in your web config.
    Simply add the requestValidationMode attribute in that section and everything will work prefectlly

  4. Ratan SahaMay 11, 2011 ב 6:03

    once I put <httpRuntime requestValidationMode="2.0" /> in web config, it’s not showing error message "potentially dangerous….". But save button is not working. In fact, the event is not fired. While I debug it’s not going into that event. But it’s working perfectly with .Net framework 2.0.

    Any help will be appreciated.

  5. Marco PoloAugust 9, 2011 ב 23:27

    it kind of defeat the purpose if you have to . I wish there will be a way that you can do something as basic as making a content managment type of application without having to “go back” to 2.0 validation mode

  6. chintuJune 7, 2012 ב 13:36

    thanks a lot… @ysa