web.config - is validateRequest=false required?

This forum is only for questions or discussions about working with the mojoPortal source code in Visual Studio, obtaining the source code from the repository, developing custom features, etc. If your question is not along these lines this is not the right forum. Please try to post your question in the appropriate forum.

Please do not post questions about design, CSS, or skinning here. Use the Help With Skins Forum for those questions.

This forum is for discussing mojoPortal development

This forum is only for questions or discussions about working with the mojoPortal source code in Visual Studio, obtaining the source code from the repository, developing custom features, etc. If your question is not along these lines this is not the right forum. Please try to post your question in the appropriate forum.

You can monitor commits to the repository from this page. We also recommend developers to subscribe to email notifications in the developer forum as occasionally important things are announced.

Before posting questions here you might want to review the developer documentation.

Do not post questions about design, CSS, or skinning here. Use the Help With Skins Forum for those questions.
This thread is closed to new posts. You must sign in to post in the forums.
11/27/2017 8:21:04 AM
Fell runner
Gravatar
Total Posts 19
View Posts

web.config - is validateRequest=false required?

Hi

I have some mojoPortal sites where I would like to turn this back on, validateRequest=true.  But I'm worried that this might break something.  Originally I thought page validation was turned off for the WSIWYG html editors, but I have turned page request validation back on and it seems fine on pages with html editors.

Thanks

 

11/29/2017 11:48:29 AM
Joe Davis
Gravatar
Total Posts 2239
View Posts

Re: web.config - is validateRequest=false required?

Hi,

It'll take some time to for us to fully test this for you. The setting has been this way for a long time. Over the years, the editors have matured and some of the workarounds that were once needed aren't anymore.

Why do you need to turn it back on?

Thanks,
Joe

11/30/2017 1:28:11 AM
Crispin
Gravatar
Total Posts 537
View Posts
feet planted firmly on the ground

Re: web.config - is validateRequest=false required?

Hi Joe, I work with fellrunner...

The main reason is sites appear to fail basic tests like https://asafaweb.com when validation is off, and this makes clients worried!  But also turning it on adds extra protection for custom modules.

 

12/7/2017 11:48:42 AM
Crispin
Gravatar
Total Posts 537
View Posts
feet planted firmly on the ground

Re: web.config - is validateRequest=false required?

Hi Joe

Any update on this one?  We've not found any negative impact yet in simple tests.

thanks

12/7/2017 12:43:08 PM
Crispin
Gravatar
Total Posts 537
View Posts
feet planted firmly on the ground

Re: web.config - is validateRequest=false required?

Hmm - my testing on another site has the site crashing with any content edit in either Tiny or CK when validateRequest="true". This in the error log: 

System.Web.HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client

I will have to check with colleague how he has this working!

12/8/2017 3:24:28 PM
Joe Davis
Gravatar
Total Posts 2239
View Posts

Re: web.config - is validateRequest=false required?

Hi Crispin,

I don't have an update for you, I'm sorry.

I'll try to focus on it next week to see what I can figure out. 

Thanks,
Joe

You must sign in to post in the forums. This thread is closed to new posts.