I'm using FreeTextBox HTML editor in some webforms in my asp.net project . if I do not set ValidateRequest property to false I get this error :
A potentially dangerous Request.Form value was detected from the client
It's OK in admin folder though , Because only authorized users have access to work with it . But how about public pages like sections where every users have access to leave comments(using FreeTextBox for collecting users comment ) ? Isn't risky for XSS Attack ? If the answer is not Yes , So what's ValidateRequest property for ?
Nope you are correct this is potentially dangerous. The idea behind it is that .net doesn't want to restrict what can be done with it's controls, but at the same time remove many of the possibilities for a security hole. The ValidateRequest property is there so you can tell ASP.NET, "Hey don't worry about this. I'm going to validate it myself, because I expect something that may look dangerous to you."
It's set to validate responses by default, because not validating potential xss attacks is dangerous, and it's better to get a validation error that you didn't realize than have your site hacked.