>I did add the following in Web.Config in the httpRunTime tag:
>
>requestValidationType="Framework.Framework.CustomRequestValidation,Framework"
>
>I verified that it is using it. If I change the namespace to something else or the assembly name to something else, IIS will report the error. So, this is the proper syntax.
>
>Just to be sure it would go in it, I simply entered a redirect command at first:
>
>
> Public Class CustomRequestValidation
> Inherits System.Web.Util.RequestValidator
>
> Protected Overloads Overrides Function IsValidRequestString(ByVal context As HttpContext, ByVal value As String, _
> ByVal requestValidationSource__1 As System.Web.Util.RequestValidationSource, ByVal collectionKey As String, _
> ByRef validationFailureIndex As Integer) As Boolean
>
> HttpContext.Current.Response.Redirect("Default.aspx")
>
>
>But, I still have the error.
>
>The redirection does not take place. So, it seems the IIS still has priority over this code and shows me the standard "A potentially dangerous Request.Path value was detected from the client (&)." message.
I agree that it sounds as if you are referencing the correct class/assembly in web.config.
But I don't know why the redirect didn't work (or, come to that, why the default validator was called)
The implication is that although properly referenced your class is not in fact being used.
Are you sure the page in question is within the relevant web.config scope?
Is your IsValidRequestString method calling the base class implementation ?
First step is to establish for sure whether your method is being called (either via debug or event logging?)
FWIW I just tested using the sample class I posted earlier and that worked as expected so the principle is correct.....