ASP.NET 1.1 adds a request validation feature designed to prevent some types of script injection attacks. If request validation is enabled (the default), ASP.NET will check all posted values, cookies, and the query string for potentially dangerous input. One example of potentially dangerous input is if the user enters a JavaScript block into a textbox. This becomes a problem if your code attempts to display the textbox content by writing it to a web page without first encoding it using the HttpServerUtility.HtmlEncode( ) method. In this case, your page will not just display the textbox contents—instead, it will execute the script block. With request validation, however, this shouldn't occur, as ASP.NET will throw the HttpRequestValidationException when a page with potentially dangerous content is posted back to the server.

You can disable request validation by setting the validateRequest attribute in the Page directive to false. In this case, your application should explicitly check or HTML encode all user input. Note that request validation and the HttpRequestValidationException class are only found in Version 1.1 of the .NET Framework.

public sealed class HttpRequestValidationException : HttpException {
// No public or protected members
}

Hierarchy

System.Object System.Exception(System.Runtime.Serialization.ISerializable) System.SystemException System.Runtime.InteropServices.ExternalException HttpException HttpRequestValidationException