This was an interesting experience and definitely I’d like to share the tricks learned during this website developed in Sitecore for one of our clients.
This site was migrated from an existing one. Everything was fine in UAT/staging and ready for release. But when switching the DNS, instead of seeing beautiful home page, there was ugly yellow/red .net error message showing up like:
HttpRequestValidationException: A potentially dangerous Request.Cookies value was detected from the client…
Immediately, questions came up, what’s that? why?
Since the message mentioned cookies, then I checked browser and found there was a cookie created by previous site(migrated from) when I browsed it. The cookie value contained html tags like “<b>”, “<br>”, even they were harmless. Now it was clear that the new site page request was blocked by .Net Http Runtime request validation.
Based on Microsoft HttpRuntimeSection.RequestValidationMode Property Document, here are available settings:
- 4.5(the default). In this mode, values are lazily loaded, that is, they are not read until they are requested.
- 4.0. The HttpRequest object internally sets a flag that indicates that request validation should be triggered whenever any HTTP request data is accessed. This guarantees that the request validation is triggered before data such as cookies and URLs are accessed during the request. The request validation settings of the element (if any) in the configuration file or of the directive in an individual page are ignored.
- 2.0. Request validation is enabled only for pages, not for all HTTP requests. In addition, the request validation settings of the element (if any) in the configuration file or of the directive in an individual page are used to determine which page requests to validate.
When I checked the installed Sitecore instance web.config, by default the “requestValidationMode” was set to 4.0, like below:
<httpRuntime targetFramework="4.5.2" maxRequestLength="512000" executionTimeout="3600" enableKernelOutputCache="false" relaxedUrlToFileSystemMapping="true" requestValidationMode="4.0" enableVersionHeader="false" />
After I changed it to 4.5 which is lazy loading, the site displayed fine. Then we went through all code to make sure the request validation were handled at page level as requested.