Rom's Rants: How To Catch HttpRequestValidationException

June 7, 2007

How To Catch HttpRequestValidationException

If you've worked with ASP.NET for any length of time, you have worried about how to handle the Yellow Screen of Death. You know, the one that says:

HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client...

or something similar.

The common refrain is turn off request validation, but there are times when you want to use the built-in validation functions. You just want a friendlier error for your user.

Most people try to catch the exception in their Global.asax Application_Error handler, but it acts like it can't catch it. The reason? Your request must be completed before the Application_Error block finishes, or the Yellow Screen of Death will appear again.

Here is some code that will generate a slightly more user-friendly error page. Feel free to extend it or use it as you will.


        void Application_Error(object sender, EventArgs e)
        {
            Exception ex = Server.GetLastError();

            if (ex is HttpRequestValidationException)
            {
                Response.Clear();
                Response.StatusCode = 200;
                Response.Write(@"
<html><head><title>HTML Not Allowed</title>
<script language='JavaScript'><!--
function back() { history.go(-1); } //--></script></head>
<body style='font-family: Arial, Sans-serif;'>
<h1>Oops!</h1>
<p>I'm sorry, but HTML entry is not allowed on that page.</p>
<p>Please make sure that your entries do not contain 
any angle brackets like &lt; or &gt;.</p>
<p><a href='javascript:back()'>Go back</a></p>
</body></html>
");
                Response.End();
            }
        }

(Update: Fixed an HTML entity issue; also fixed layout for people using IE6.)

9 comments:

Sarkie said...: Do you have to add the mime content type just before you finish, just in case the browser is stupid?; 6/07/2007 9:08 AM
htn0200 said...: This comment has been removed by the author.; 9/23/2008 9:44 PM
htn0200 said...: You're out-thinking things, aren't you? Do this:

protected void Application_Error(object sender, EventArgs e)
{
Exception ex = Server.GetLastError();

if (ex is HttpRequestValidationException)
{
Response.Redirect("FriendlyMessage.aspx", true);
}
}; 9/23/2008 9:47 PM
Unknown said...: Was searching for this and find this useful.

Bookmarked:
http://codebounce.com/ASPNET; 10/14/2008 11:03 AM
Unknown said...: where are you putting this code? Does it go in the page load event - or somewhere else?; 1/15/2010 7:10 AM
Unknown said...: thanks dude - I thought from the description that it couldn't go in your global.asax file because it couldn't be caught until the request completed. Re-reading it I guess it means that it will look like it's not going to be caught but then it will be?
I think I'll add it into a separate class file and place it in the App Code folder.

thanks again,

Jez; 1/15/2010 9:37 AM
danbriapps said...: I know this post is 4 years old but I wanted to say thanks!

Also, to get this working I had to add Server.ClearError() before Response.Clear(). After that it worked perfectly.; 9/17/2011 11:32 PM
nik.agarwal said...: thanks , it works :); 2/28/2012 8:21 AM
Hagen Mobiler said...: 2015 year and still working!
Just that I need, a different message instead YSoD.
Now I'm going to redirect a page acording to my web application.
Thanks; 10/07/2015 6:11 AM