If you’re ever finding that ValidateRequest isn’t working in your Sitecore site and the dodgy script tag in your form gets posted anyway, this is why.
-
namespace Sitecore.Pipelines.PreprocessRequest
-
{
-
public class SuppressFormValidation : PreprocessRequestProcessor
-
{
-
public override void Process(PreprocessRequestArgs args)
-
{
-
Assert.ArgumentNotNull(args, “args”);
-
try
-
{
-
NameValueCollection form = args.Context.Request.Form;
-
}
-
catch (HttpRequestValidationException exception)
-
{
-
if (!args.Context.Request.RawUrl.StartsWith(“/sitecore/shell/”, StringComparison.InvariantCultureIgnoreCase))
-
{
-
Log.Error(exception.Message, exception, this);
-
}
-
}
-
}
-
}
-
}
See what they did there?!
Initially I just removed the processor from the config, but then I added it back in. This is my “fix”.
-
namespace SC.Pipelines.PreprocessRequest
-
{
-
public class SuppressFormValidation : PreprocessRequestProcessor
-
{
-
public override void Process(PreprocessRequestArgs args)
-
{
-
bool isShell = args.Context.Request.RawUrl.StartsWith(“/sitecore/shell/”, StringComparison.InvariantCultureIgnoreCase);
-
if (isShell)
-
{
-
Assert.ArgumentNotNull(args, “args”);
-
try
-
{
-
//requesting these objects for the first time will trigger ‘ValidateRequest’ to ensure no script is being posted
-
var form = args.Context.Request.Form;
-
var qs = args.Context.Request.QueryString;
-
var cookies = args.Context.Request.Cookies;
-
}
-
catch (HttpRequestValidationException) { }
-
}
-
}
-
}
-
}
Disposition 
[…] you can take a look at this blog post which indicates the SuppressFormValidation processor in the PreprocessRequest pipeline may be […]