It should NOT be used as your sole method of XSS protection, and does not guarantee to catch every type of invalid input.
There are known, documented bypasses (such as JSON requests) that will not be addressed in future releases, and the request validation feature is no longer provided in ASP. Fully protecting your application from malicious input requires validating each field of user supplied data. NET Validation Controls and/or Data Annotations attributes to check for: Starting with ASP.
This MSDN article has an example of using both server side and client side validation: Custom Validator Example I used your markup and code-behind and it seems to work.
NET 4.0 request validation is performed for all requests, not just for page requests.
To ensure this is configured correctly request Validation Mode should be set to "4.0" (or not set at all) in web.config: There are enhancements added to request validation starting with ASP.
You might want to experiment with setting Culture Invariant Values to true and see if that solves your problem.
Otherwise you may need to change the Date Time Format for the current culture (or the culture itself) to get what you want.
Request validation helps to prevent this kind of attack by throwing a "potentially dangerous value was detected" error and halting page processing if it detects input that may be malicious, such as markup or code in the request.
Request validation is generally desirable and should be left enabled for defense in depth.
NET Request Validation, such as when receiving HTML markup from the end user.
In these scenarios you should disable request validation for the smallest surface possible. NET Web Forms applications prior to v4.5, you will need to disable request validation at the page level.
NET and Web Services Solutions conference produced by PRO. He has also worked with large corporate clients including Microsoft, Universal Studios, MGM Studios, Monster.com/Flip Dog.com, Intel, Polygram Pictures, Prudential, Micro Accounting Systems, Sky Harbor International Airport, and Southern Automated Systems on projects using Microsoft technologies such as Visual Fox Pro, Visual Studio. Most applications perform their data validation on the user's local computer.
He is a published author on several subjects including XML, the migration from Visual Basic 6 to VB. In this scenario, if an error occurs while performing validation on the user's computer, the application can directly display the error message on the page that the user is viewing without the page making a round trip to the Web server and then back to the user.
If I enter 1 January 1000 as the min or max value I get an error saying value cannot be converted to type date, but if I use another format it picks up my entered text as invalid.