Question:

In Sitecore 9.3, SuppressFormValidation is not available, what is the replacement?

Sitecore

William: 19 May 2022

We are upgrading from Sitecore 8.2 to 9.3. In our 8.2 solution, there is a patch created with the type SuppressAdfsFormValidation

<sitecore>
   <pipelines>
      <preprocessRequest>
         <processor patch:instead="*[@type='Sitecore.Pipelines.PreprocessRequest.SuppressFormValidation, Sitecore.Kernel']" type="Sample.Pipelines.PreprocessRequest.SuppressAdfsFormValidation, Sample" />
      </preprocessRequest>
   </pipelines>
</sitecore>

which inherits PreProcessRequestProcessor and here is the implementation provided below:

public class SuppressAdfsFormValidation : PreprocessRequestProcessor
{
    public override void Process(PreprocessRequestArgs args)
    {
        Assert.ArgumentNotNull(args, "args");

        try
        {
            new SuppressFormValidation().Process(args);
        }
        catch (HttpRequestValidationException)
        {
            string rawUrl = args.HttpContext.Request.RawUrl;
            if (!rawUrl.Contains("sample item") && !rawUrl.Contains("secure") && !rawUrl.Contains("login"))
            {
                throw;
            }
        }
    }
}

We could not find the SuppressFormValidation() in

Sitecore.Kernel.dll(14.0.0.0) -> Sitecore.Pipelines.PreProcessRequestProcessor

Could you please suggest if there is any alternative to implement this feature?

Answer:
Henry: 19 May 2022

I think this processor was added only for sitecore 8 because the asp.net request validation has been changed in .NET 4.0 and it was breaking the content editor, if you take a look at the current implementation you'll see that this processor is introduced for this:

Suppresses the form validation excheption that has been introduced in .NET 4.0 for Sitecore backend.

Please also take a look at the post https://stackoverflow.com/questions/9114276/request-validation-how-and-why-is-it-disabled-in-sitecore and the sitecore KB article https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB0031258.

However this processor is disabling completely the validation and if you would write cross site queries like ?<script>alert('attack');</script> the page would still load normally. To fix this you would have needed to override the processor like described here https://www.loic-rabehaja.com/sitecore-blog/2015/6/2/prevent-xss-attack-on-sitecore-cms-use-of-in-built-net-validation. Hence it was removed in newer sitecore versions and I wouldn't recommend to preserve this functionality after you upgrade.

If you need to disable the request validation I think you should try to handle it at the page level instead of the whole website.