How to compromise on ValidateRequest?

A

AFN

I have a form with 15 fields. I want users to be able to enter "<" and ">"
characters into 1 of those fields without IIS catching it and disallowing
the whole page. I did some reading and I *think* that means I MUST set
ValidateRequest=False. So, two questions:

1) Do I have to then pass the results of every one of those 15 fields into
HtmlEncode? like strAfter = HtmlEncode(txtField1.text)? That's annoying
when I only want to allow 1 field to have the "<" ">" values.

2) What does the < character turn into when you do HtmlEncode? Generally.
I don't want it to turn into something like %20. If that is what it does,
then what other function can I use to test that my input is safe but still
keep it as < or >?
 
M

Martin Marinov

Yes you must set ValidateRequest=False to disable .net framework to check
for "<" and ">" symbols.
also there is a bug in the VlidateRequest that enables to write in the form
fields "<%00"
so the answers :
1 ) You have to htmlencode all the fields that you will show on the page (
it is recommended to htmlecode all of data )
2 ) character "<" is turn into &lt; and character ">" - to &gt;

to do this i whould suggest you to create an CustomValidator controls for
every 14 fields BUT these 14 validators will use one function to check and
htmlecode the data

Hope this helps
Regards
Martin
 
B

bruce barker

ValidateRequest=False is to prevent a common coding error. take the common
welcome message

John, welcome to my site

if implement as

<%= UserName %>, welcome to my site

you page is open to a scripting hack. the user when they enter their name
can input <script>....</script>. the fix is when output a user input data as
html is to encode it when rendered.

<%= HttpUtility.HtmlEncode(UserName) %>, welcome to my site

is complely safe. this is more of a problem when user enter data that is
displayed on other peoples pages, then the script can do more damage.

note: as any user can run arbitrary javascript on your page thru the
address bar, you should design your page to not trust postback values
(especially hidden fields)

-- bruce (sqlwork.com)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top