HttpRequestValidationException

[Jim Butler]

We are using a custom guid generator with encryption, the problem is
sometimes pages will blow up when accessing this value through a post or
get. The encryption mechanism will sometimes generate the "bad" characters
to create this error. We would like to continue to leave validateRequest
turned on. What we would really like to be able to do is call the method
manually to catch an error before the user see's it and generate a new guid
for them that will pass when encrypted. I believe the method is private,
thus our dilema. Is there someway to get around this? Right now, we
generate the value, call a custom page to see if it fails, if so, then
generate a new value. This is way too much work....

Any help much appreciated,

jim butler

 

[Rick Strahl [MVP]]

Can you use Page_Error to trap the error and if it occurs and then call
whatever you need to do in the page?

+++ Rick ---

--

Rick Strahl
West Wind Technologies
http://www.west-wind.com/
http://www.west-wind.com/weblog/

 

[Steven Cheng[MSFT]]

Hi Jim,

I think Rick's suggestion use the Page_Error event to handle the page level
unhandled exception and make the proper processing is reasonable, the
following article has discussing this topic:

#Rich Custom Error Handling with ASP.NET
http://msdn.microsoft.com/library/en-us/dnaspp/html/customerrors.asp?frame=t
rue

As for the @Page 's " ValidateRequest" attribute , as far as I know, this
is only configurable at design time in the @page directive rather than via
code. But we can manually perform the script validation ourself instead of
using the buildin validation. Here is a certain tech article discussing on
manually implement such validation in asp.net1.0 which haven't the buildin
"validateRequest" attribute:

#Adding Cross-Site Scripting Protection to ASP.NET 1.0
http://msdn.microsoft.com/library/en-us/dnaspp/html/scriptingprotection.asp?
frame=true

Hope also helps. Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx

 

[Jim Butler]

thanks, steven, this is exactly what we were looking for but didn't find...
We will implement our own function that will check the generated encrypted
string while creating the string, if that makes any sense....

jim

 

[Rick Strahl [MVP]]

There's no way to get the ValidateRequest behavior any other way though. The
chekcing for this occurs inside of the guts of ASP.Net, so there's little
you can do about changing the behavior other than capturing the exception.
I'm not sure I see the problem though because if you use Page_Error() you
get notified immediately if the erorr occurs at which point you can call
another method that does the right thing. Isn't this pretty much what you're
asking? Remember the failure will be the first thing that happens. You can
simply ignore it and call Page_Load manually for example to go on (Actually
I think you may have to force the page to manually render at that point but
that's still pretty straight forward.).

+++ Rick ---

--

Rick Strahl
West Wind Technologies
http://www.west-wind.com/
http://www.west-wind.com/weblog/

 

[anant]

I've created a page_error handler in a base usercontrol class to try
and trap the HttpRequestValidationException specifically for instances
of cross site scripting.

The handler works fine for example with Server.GetLastError and a
division by zero error in the page_load event of the child
usercontrol. However, I can't get this to work with
HttpRequestValidationException. Is this possible? I'm still slightly
baffled by the Request Validation feature.

Sorry no code as I'm out of the office but I'd be happy to accommodate
on monday.

Cheers,
Anant