FreeTextBox and Asp.Net 4.0 request validation

In Asp.Net 4.0 the request validation model has changed (Yet another breaking change).
In short, request validation is a security feature of Asp.Net which meant to prevent XSS and script injection attacks. As of 4.0 the behavior of request validation has changed.
Validation of the input is now performed in the BeginRequest stage of the page life-cycle.

When we converted out web application to Asp.Net 4.0, we found out that one of our pages, which uses a control call FreeTextBox, threw a validation exception each time an input was typed and submitted in that control.

FreeTextBox control is used to allow users to create composite text which can be displayed in html – features like font sizes/types, bold, alignment etc… The control actually creates html from the user input and commands.

Asp.Net 4.0 interprets the generated input from the control as a XSS attack and prevents the page from running.

Doron posted on this subject, but in Asp.Net 4.0 there is no page directive for the mode of the request validation.

The immediate solution was to change the request validation model to run in Asp.Net 2.0 runtime. The change is quite simple. Simply add the following line to the web.config, under the system.web node:

<system.web>  
    ...
    <httpRuntime requestValidationMode="2.0" />
    ...
</system.web>  

If your page is in a folder you can create a web.config file their and put this line so the request validation in 2.0 mode will work only on the pages in that folder (so the other pages in the app can use the 4.0 mode).

In the long run we plan to upgrade the control (which is pretty old) to a newer version (impossible now due to an upgrade to the FreeTextBox site) or to replace it with RadEditor control from the RadControls suite, which from initial tests doesn’t have this problem.