I'm sure you've seen this before:
A potentially dangerous Request.Form value was detected from the client
Ugh! Annoying. So what's dangerous about the request? Could be anything, but let's break down what ASP does in the background when it actually validates the request.
1. Checks postback keys
This is almost inconsequential, but something worth pointing out. The HttpRequest class has a private method called ValidateNameValueCollection that determines whether or not a postback value should be be validated. Oddly enough, this has nothing to do with checking whether the developer's supplied a way to bypass validation(like by using the ValidateInputAttribute in MVC). All this method does is make sure that that all of the keys are validated, unless the key begins with "__". I'm assuming this is here so fields like "__VIEWSTATE" don't break the validation.
2. Validate input
After the key's been checked, if the matching value isn't null, it's then passed to a series of a functions that check that the value
- Doesn't contain any text with an < followed immediately by any letter, !, ?, or / symbol.
- Doesn't contain the text "&#"
That's it.
That's all it does.
I actually think catch-all validation like this is fairly useless for anyone with a little experience in web development, because trying to throw an exception when html tags are sent to the server isn't necessarily going to prevent them from being rendered back out to the client. The values should be sanitized before being sent back to the client, instead.
