Why does WorkflowGen require that request validation settings be disabled?


#1

WorkflowGen requires that the ValidateRequest property be set to false and RequestValidationMode be set to 2.0. This is because many pages require sending XML or HTML data from the client browser to the server, whether from a user entering a query in a field or simply from the tools used in WorkflowGen.

One example of such a tool is the form designer, which allows you to create customized forms with nearly limitless possibilities. Another example is the Advanced View feature, which lets you customize individual columns using JavaScript code. However, WorkflowGen ensures that most user inputs transmitted back to the client page are sanitized so that no malicious script or HTML injection is possible.

In cases where a user is not an administrator, the WorkflowGen configuration settings can be used to restrict such usage depending on the user’s role. The goal is for the client to be able to finely control which programming features they wish to allow their users, supervisors, and process managers to be able to use. An example of this would be a permission to create custom columns or custom charts in Advanced View with user-input JavaScript.

Examples

WorkflowGen v6

<configuration>
    <system.web>
        <httpRuntime requestValidationMode="2.0"></httpRuntime>
        <pages validateRequest="false"></pages>
    </system.web>
</configuration>

WorkflowGen v5

<configuration>
    <system.web>
        <pages validateRequest="false"></pages>
    </system.web>
</configuration>