Custom handler for HttpRequest validation

[John Timney \(Microsoft MVP\)]

You could write something called an iHTTPHandler that checks the values of
fields and denies access if any values in the forms collection contain
banned chars. This approach means you dont interfere at all with the actual
page contents as it runs at application level and would affect every page
without any validators being added.

Of course you'll have to performance check the handler to assess its impact
on your app.

--
Regards

John Timney
Microsoft Regional Director
Microsoft MVP

 

[Rob]

I am developing an intranet application, that has to pass interanl security
audit. The framework version that I am using is .Net framework version 1.1.
Some combinations of text entered in any text box , involving for example a
"less than" character followed by any alpha character, trigger an exception
(HttpRequestValidationException). So, the framework detects a potential
script injector, triggers an exception and user gets an application error.
My problem is that most data entry controls have their own validators, that
should detect this type of conditions and print appropriate format
validation error in the validator summary control, before presenting the
user with an error screen.
Setting validateRequest to false is not an option, because of the security
requirements. Also, using HTTPEncode /Decode for all the fields is a bad
option too, due to large amount of work being put already into the
application. My best bet, is to write a custom handler that will leave the
controls that have its own validators to these validators and use http
encoding for the few remaining free form fields. Are there any hooks in the
framework that allow to accomplish that?

 

[Rob]

John,

Thanks for your suggestion. It looks like this is the only way to go, so I
will be coding the handler this week. I am not worried too much about the
performance impact, the app runs NLB environment, so if we have any
problems, we will add a new server (or two).