Request validation in ASP.NET designed to protection against cross site against cross-site scripting (XSS) attacks. This features is available from the beginning days of ASP.NET. This gives your web sites a default protection to prevent XSS attacks. Check this post to know about fundamentals of ASP.NET Request validation. In this post I am going to talk about the changes of request validation in ASP.NET 4.5 Developer preview.
ASP.NET request validation is turned on by default and prior to 4.5 it was a page level settings. Prior to ASP.NET 4.5 it was required to disable the validation for entire page in page directives using ValidateRequest attributes.
ASP.NET 4.5 introduced a nice enhancement in request validation with “Control Level Validation” . With ASP.NET 4.5 now you can disable the request validation for a specific control with a new properties “ValidateRequestMode” .
You can set ValidateRequestMode to either of below values
Once you set the ValidateRequestMode properties for any control, ASP.NET runtime perform a lazy request validation for that specific control.
To enable this features you have to make sure requestValidationMode=”4.5″ is set in httpRuntime section in the web.config file of your web application.
As shown in below picture, we have enabled and disabled the control validation for different control. We can also even set to inherit to take automatically from the parent control behaviors.
Hope this helps !