Issue using requestValidationMode="2.0"

I recently upgraded my site to .NET 4.0 but found issues with the new http validation and when this happens in the pipeline. According to MSDN (http://msdn.microsoft.com/en-us/library/ee941656.aspx#aspnet search for text 'request validation') you will see that putting <httpRuntime requestValidationMode="2.0" /> within the <system.web> tag in your web.config should revert to old behavior. This works great when testing locally on my machine. However, DASP does not seem to accept this setting since I keep getting this exception:

System.Web.HttpException (0x80004005): A potentially dangerous Request.Path value was detected from the client (%).
at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)

Does DASP not support turning off 4.0 request validation? Do I need to do something in addition to the web.config setting? My site is using .NET 4.0 Integrated mode.

 

I have tried setting validateRequest to false both in the web.config and on the individual pages that I didn't want to have the validation and I still get the error. Locally I get the intended behavior but DASP does not. I want to use the requestValidationMode="2.0" so that it will work like it did back then. Not only did .NET change where in the pipeline they do the validation, they really tightened up the validation as well. I don't mind if a %20 is in a url, which is where I'm seeing one of the errors.

 

I have been looking around think I've finally found the solution to my problem. The issue has to do with the new validation starting with .NET 4.0. Simply stating you want to go back to 2.0 does not mean you go back to the algorithm they used in 2.0, just the point in the pipeline where the validation occurs. The following blob illustrates the different ways to configure the new validation (http://www.hanselman.com/blog/Exper...herNaughtyThingsInTheASPNETIISRequestURL.aspx)

 

Thanks for posting that follow up.