I have a Web Forms website on IIS7 and .NET 4.5.1 and I want the http requests to be validated using Microsoft's Request validation. The web.config default values for validateRequest and requestValidationMode are supposed to be "true" and "4.0" respectively and that should be what I want (I tried specifying them just in case).
<pages validateRequest="true">
<httpRuntime requestValidationMode="4.0" />
For some reason, when I input an html tag (tried < script > and < a >) in a form then submitting it, I get the expected Potentially Dangerous request error, but the tag gets saved in the database. Why did it go through? I simply take the textbox's Text value as is and send it to my DB, but I expect the error to stop that from happening.
When I tried setting:
<httpRuntime requestValidationMode="2.0" />
The error was the same, but this time, the tag didn't end up in the database, which is what I want.
I would like to understand why the lesser safe validation mode "2.0" is the only one that actually prevents the request from going through in my case, which doesn't seem to make much sense. There must be something I'm missing, please let me know if I should provide other information.
I have found a solution to my own problem. It would appear that Microsoft's documentation about requestValidationMode states that all values above "4.0" is interpreted as "4.0", but that isn't true. Reading this interesting page, I have found out there's a "4.5" value that is valid and does exactly what I wanted.