ASP.NET Potentially Dangerous Request

In my ASP.NET application I am logging any application errors that occur and one that ocassionally comes up is:

A potentially dangerous Request.Form value was detected from the client (ctl00$MainContent$ddl_Months="<a"). 

I understand that this is to do with the < - however the DropDownList does not contain this.

Markup:

<select name="ctl00$MainContent$ddl_Months" onchange="javascript:setTimeout(&#39;__doPostBack(\&#39;ctl00$MainContent$ddl_Months\&#39;,\&#39;\&#39;)&#39;, 0)" id="ctl00_MainContent_ddl_Months">
    <option selected="selected" value="201011">201011</option>
    <option value="201010">201010</option>
    <option value="200906">200906</option>
    <option value="200905">200905</option>
    <option value="200904">200904</option>
</select>

Code:

Markup

   <asp:DropDownList ID="ddl_Months" runat="server" AutoPostBack="true" OnSelectedIndexChanged="ddl_Months_SelectedIndexChanged" />

Code behind

DataTable tblMonths = GlobFunctions.GetData("GetBureauReportsMonths",开发者_开发知识库 GlobVar.conStrX, new SqlParameter[1]
{
    new SqlParameter("@BureauNumber", BureauCode)
});

List<string> months = new List<string>();

for (int i = 0; i < tblMonths.Rows.Count; i++)
{
    months.Add(Server.HtmlEncode(tblMonths.Rows[i][0].ToString()));
}

ddl_Months.DataSource = months;

ddl_Months.DataBind();

I am unable to replicate this error and was wondering what options are available to me to solve this issue?

If you aren't able to reproduce this and you've verified that all of your database values are correct without the HTML tag characters, then what you are probably seeing is an attempted attack on your site. Cross Site Scripting (XSS) attackers like to modify the values of select list options and hidden fields because many Web developers won't think to validate those values. The (misguided) idea is that those values are safe because they are provided by the application and "normal users" can't change them.

If you can, capture and review the context of the request that caused the error (stack trace, session values, request information). Look at the Referrer URL to see if it's something other than you expect. Look at the Remote Address (the client IP address) and do a WhoIs look-up on it. This might help you determine where the request came from, which can help you determine if it was a valid request or if it was something a bit shady.

If this were happening with an input field such as a textbox, then it could be your users "accidentally" entering the invalid character. Since it's happening with a select list, which is pre-populated, I think the evidence points to an XSS attack. ASP.NET is doing exactly what it's supposed to do - preventing you from inadvertently saving HTML tags where you don't want them.

WiseGuyEh originally mentioned the XSS possibility in the comments. I don't think the HTML encoding trick will do anything for you in this particular situation because your database values are all numbers and don't contain characters that needs to be encoded.

Another (perhaps remote) possibility is that some stray quote characters (") are causing the DOM to become corrupt. I mention this only because I've been a victim of this myself on occasion, but I doubt that it applies here because of the intermittent nature of your errors.

Set the following code in your page directive

ValidateRequest="false"