How to compromise on ValidateRequest?

Discussion in 'ASP .Net' started by AFN, Jun 15, 2004.

  1. AFN

    AFN Guest

    I have a form with 15 fields. I want users to be able to enter "<" and ">"
    characters into 1 of those fields without IIS catching it and disallowing
    the whole page. I did some reading and I *think* that means I MUST set
    ValidateRequest=False. So, two questions:

    1) Do I have to then pass the results of every one of those 15 fields into
    HtmlEncode? like strAfter = HtmlEncode(txtField1.text)? That's annoying
    when I only want to allow 1 field to have the "<" ">" values.

    2) What does the < character turn into when you do HtmlEncode? Generally.
    I don't want it to turn into something like %20. If that is what it does,
    then what other function can I use to test that my input is safe but still
    keep it as < or >?
    AFN, Jun 15, 2004
    #1
    1. Advertising

  2. Yes you must set ValidateRequest=False to disable .net framework to check
    for "<" and ">" symbols.
    also there is a bug in the VlidateRequest that enables to write in the form
    fields "<%00"
    so the answers :
    1 ) You have to htmlencode all the fields that you will show on the page (
    it is recommended to htmlecode all of data )
    2 ) character "<" is turn into &lt; and character ">" - to &gt;

    to do this i whould suggest you to create an CustomValidator controls for
    every 14 fields BUT these 14 validators will use one function to check and
    htmlecode the data

    Hope this helps
    Regards
    Martin

    "AFN" <> wrote in message
    news:F5uzc.1587$...
    > I have a form with 15 fields. I want users to be able to enter "<" and

    ">"
    > characters into 1 of those fields without IIS catching it and disallowing
    > the whole page. I did some reading and I *think* that means I MUST set
    > ValidateRequest=False. So, two questions:
    >
    > 1) Do I have to then pass the results of every one of those 15 fields into
    > HtmlEncode? like strAfter = HtmlEncode(txtField1.text)? That's annoying
    > when I only want to allow 1 field to have the "<" ">" values.
    >
    > 2) What does the < character turn into when you do HtmlEncode? Generally.
    > I don't want it to turn into something like %20. If that is what it

    does,
    > then what other function can I use to test that my input is safe but still
    > keep it as < or >?
    >
    >
    Martin Marinov, Jun 15, 2004
    #2
    1. Advertising

  3. AFN

    bruce barker Guest

    ValidateRequest=False is to prevent a common coding error. take the common
    welcome message

    John, welcome to my site

    if implement as

    <%= UserName %>, welcome to my site

    you page is open to a scripting hack. the user when they enter their name
    can input <script>....</script>. the fix is when output a user input data as
    html is to encode it when rendered.

    <%= HttpUtility.HtmlEncode(UserName) %>, welcome to my site

    is complely safe. this is more of a problem when user enter data that is
    displayed on other peoples pages, then the script can do more damage.

    note: as any user can run arbitrary javascript on your page thru the
    address bar, you should design your page to not trust postback values
    (especially hidden fields)

    -- bruce (sqlwork.com)




    "AFN" <> wrote in message
    news:F5uzc.1587$...
    > I have a form with 15 fields. I want users to be able to enter "<" and

    ">"
    > characters into 1 of those fields without IIS catching it and disallowing
    > the whole page. I did some reading and I *think* that means I MUST set
    > ValidateRequest=False. So, two questions:
    >
    > 1) Do I have to then pass the results of every one of those 15 fields into
    > HtmlEncode? like strAfter = HtmlEncode(txtField1.text)? That's annoying
    > when I only want to allow 1 field to have the "<" ">" values.
    >
    > 2) What does the < character turn into when you do HtmlEncode? Generally.
    > I don't want it to turn into something like %20. If that is what it

    does,
    > then what other function can I use to test that my input is safe but still
    > keep it as < or >?
    >
    >
    bruce barker, Jun 15, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Martin Colmenares

    ValidateRequest="false" error

    Martin Colmenares, Jun 27, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    1,017
    Martin Colmenares
    Jun 27, 2003
  2. Shaun Dore

    set validateRequest attribute at runtime

    Shaun Dore, Nov 3, 2003, in forum: ASP .Net
    Replies:
    1
    Views:
    752
  3. Boki
    Replies:
    22
    Views:
    805
  4. Doug Holton
    Replies:
    4
    Views:
    339
    Hallvard B Furuseth
    Aug 9, 2004
  5. Replies:
    9
    Views:
    390
    David Thompson
    Jul 1, 2007
Loading...

Share This Page