Request Validation

Discussion in 'ASP .Net' started by Victor, Jul 25, 2007.

  1. Victor

    Victor Guest

    Hi guys
    I have a question regarding to how to do the request validation on user's
    input. We all know in asp.net. when user input something like <a>blah
    blah</a> by default, It will throw a HttpRequestValidationException say "A
    potentially dangerous Request.Form value was detected from the client ". And
    This validation can be turned off in the page.

    Now, I am quite annoy about all these exceptions cause by someone want to
    post some kinds of the ads on my website. And I really do not to disable the
    page request validation. The best the result for me will be I can do
    something about it before it reach the request validation event, like check
    the user input myself then redirect to some other pages. if user continue
    doing that, the system will automatically lock user's account, and send to
    an email to admin.

    Is there anyway I can achieve this? Or do you have better ideas? Any help
    will be appreciate?
    Thanks a lot
    Cheers
    Victor
    Victor, Jul 25, 2007
    #1
    1. Advertising

  2. I suggest you disable the page request validation and instead use
    Microsoft's free Anti-Cross Site Scripting Library.
    http://msdn2.microsoft.com/en-us/security/aa973814.aspx

    If that doesn't work out for you, use a White List approach to specify only
    which characters are allowed - and deny all other characters.

    --
    I hope this helps,
    Steve C. Orr,
    MCSD, MVP, CSM, ASPInsider
    http://SteveOrr.net


    "Victor" <> wrote in message
    news:...
    > Hi guys
    > I have a question regarding to how to do the request validation on user's
    > input. We all know in asp.net. when user input something like <a>blah
    > blah</a> by default, It will throw a HttpRequestValidationException say "A
    > potentially dangerous Request.Form value was detected from the client ".
    > And This validation can be turned off in the page.
    >
    > Now, I am quite annoy about all these exceptions cause by someone want to
    > post some kinds of the ads on my website. And I really do not to disable
    > the page request validation. The best the result for me will be I can do
    > something about it before it reach the request validation event, like
    > check the user input myself then redirect to some other pages. if user
    > continue doing that, the system will automatically lock user's account,
    > and send to an email to admin.
    >
    > Is there anyway I can achieve this? Or do you have better ideas? Any help
    > will be appreciate?
    > Thanks a lot
    > Cheers
    > Victor
    Steve C. Orr [MCSD, MVP, CSM, ASP Insider], Jul 25, 2007
    #2
    1. Advertising

  3. Hi Victor,

    I agree with Steve here, with the Anti-Cross Site Scripting Library and
    turning off "validateRequest", you should be able to accept any input
    without vulnerable to marlicious script:

    Literal1.Text =
    "Hello " + Microsoft.Security.Application.AntiXss.HtmlEncode(TextBox1.Text)
    + "! Welcome to the examples!";

    Regards,
    Walter Wang (, remove 'online.')
    Microsoft Online Community Support

    ==================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ==================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Walter Wang [MSFT], Jul 26, 2007
    #3
  4. Victor

    Victor Guest

    Hi Steve and Walter:
    Thanks for your help. This is really a good clue for me to solve my problem.
    I am still doing research on the AntiXss class. Hopefully, I can start use
    that soon..
    cheers thans again for the help.

    Victor

    "Walter Wang [MSFT]" <> wrote in message
    news:...
    > Hi Victor,
    >
    > I agree with Steve here, with the Anti-Cross Site Scripting Library and
    > turning off "validateRequest", you should be able to accept any input
    > without vulnerable to marlicious script:
    >
    > Literal1.Text =
    > "Hello " +
    > Microsoft.Security.Application.AntiXss.HtmlEncode(TextBox1.Text)
    > + "! Welcome to the examples!";
    >
    > Regards,
    > Walter Wang (, remove 'online.')
    > Microsoft Online Community Support
    >
    > ==================================================
    > When responding to posts, please "Reply to Group" via your newsreader so
    > that others may learn and benefit from your issue.
    > ==================================================
    >
    > This posting is provided "AS IS" with no warranties, and confers no
    > rights.
    >
    Victor, Jul 31, 2007
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Colin Mackay
    Replies:
    0
    Views:
    2,678
    Colin Mackay
    Jun 25, 2003
  2. Libs
    Replies:
    0
    Views:
    1,483
  3. Brian Birtle
    Replies:
    2
    Views:
    1,990
    John Saunders
    Oct 16, 2003
  4. Colin Basterfield

    Web form validation vs object validation

    Colin Basterfield, Nov 28, 2003, in forum: ASP .Net
    Replies:
    1
    Views:
    421
    Tommy
    Nov 29, 2003
  5. Matt
    Replies:
    14
    Views:
    4,071
    Chad Z. Hower aka Kudzu
    Jan 30, 2004
Loading...

Share This Page