Is it possible to capture the offending text from a httprequestvalidationexception in the Global.asax.cs Application_Error() method for logging purposes? Or does the ASP.NET handler discard the data for security purposes? Tried the (Inner)Exception.Data dictionary but it was empty.

You should be able to capture it - unless it's IIS's request validation that's capturing the request in which case your exception handler doesn't fire.

Make sure nothing else is clearing the exception first.

+++ Rick ---

Copy that, thx Rick. Yes, validateRequest is true (the default) for the application so IIS is capturing the request and throwing the error. The Application_Error() method in global.asax does fire, I trap the error there and redirect the User to an error page notifying them of the error and the reason for it ( and a no-no warning ). But I have not found any way in Application_Error() to retrieve the actual text that triggered the error. It all currently works fine but I was hoping to log the actual text that triggered the error for analysis and documentation.

Are you getting the actual HttpRequestValidationException? I wouldn't expect there to be an inner exception because that's pretty much a top level exception. If you are getting it, then all the information you are getting is all you're going to get I think, but I think you should see the same message that you'd get if there is no Application_Error handling in place (ie. the yellow screen of death that usually tells you the invalid text that's being rejected.).

+++ Rick --

Yes, I trap for the specific httprequestvalidationexception among others in the Application_Error handler. I checked the exception Data array for additional data and there is none. I also check for an InnerException but there is none also. As a result I have just assumed that ASP.NET does not pass the offending text on to the error handler, but wanted to check in case I am missing something.