We have a text box in sitecore that allows users to search for things. This posts back to the server which goes off, does a search and returns some results (showing them on the screen).
When I input something dodgy, e.g. some markup I would expect to receive a .net exception along the lines of:
A potentially dangerous Request.QueryString value was detected from the client (q="<img src="http://www..."). 
As I understand it, that has been default behaviour since v1.1 of ASP.NET. And then in v4.0 it remained the default they just extended it to all requests (not just web pages).
So the question is as follows:
1. how have sitecore disabled this?
2. what can I do to re-enable this globally (i.e. not on a per page basis)?
I note there is a section of the web.config that starts like this:
<!-- Continue to run Sitecore without script validations -->
<pages validateRequest="false" controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID">
You answered your own questions. Here are answers to your questions:
In Sitecore the default web.config comes with this set as 
<pages validateRequest="false" ... />
To turn it on, set it to true
Also, you can take a look at this blog post which indicates the SuppressFormValidation processor in the PreprocessRequest pipeline may be causing this issue you're having.
Here's the "offending" code that was identified:
namespace Sitecore.Pipelines.PreprocessRequest
{
    public class SuppressFormValidation : PreprocessRequestProcessor
    {
        public override void Process(PreprocessRequestArgs args)
        {
            Assert.ArgumentNotNull(args, "args");
            try
            {
                NameValueCollection form = args.Context.Request.Form;
            }
            catch (HttpRequestValidationException exception)
            {
                if (!args.Context.Request.RawUrl.StartsWith("/sitecore/shell/", StringComparison.InvariantCultureIgnoreCase))
                {
                    Log.Error(exception.Message, exception, this);
                }
            }
        }
    }
}
The blog post has new code you can replace it with to only suppress validation in the Sitecore shell (the back-end GUI).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With