A potentially dangerous Request.Form has been detected


I'm using a php script to http post some xml files to a .net URL.

When I submit I get the response:

A potentially dangerous Request.Form value was detected from the client (<?xml version="...UTF-8"?> <!DOCTYPE cXML SYSTE..."). Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.

As I'm not using .NET I can't set ValidateRequest="false" in web.config.

Do I need to sanitize my xml before submitiing? How can I do this?

It's intriguing that you can see the full error, but are not capable of accessing the ASP.NET code. Normally, one can only see the full error when in debug mode, because in production, the error-setting is (should be) RemoteOnly or Off. This seems a configuration mistake and a potential risk on the side of the ASP.NET site.

You say "to http post some xml files". If you were indeed posting files, you wouldn't receive this response. Maybe you can contact the site's owner and ask for him to change the form to allow file-input.

You can change your input such that it doesn't look like XML anymore, but then it isn't XML anymore either. I.e., change all < in &lt; and you'll be able to get your data through, but it must be unescaped when processed.

If this site is supposed to accept XML, it must be changed to accept XML. Either it should accept files, or it should accept HTML/XML input by turning ValidateRequest to off. If it is not supposed to receive XML, there's little you can do. It's like filling in a bank's payment form by putting letters in the amount-field: it just won't work (unless it was designed to work that way).