validateRequest

[clintmazur]

I am building a site in which I would like to keep validateRequest turned on,
but I would like to either override it or scrub my inputstream. If the input
has potential for XSS, I don't want to throw an error, I want to clean the
data.

I have tried using the httprequest.filter in my global.asax, but was not
successful. I would like all of my input to be scrubbed with an
HttpUtility.HtmlEncode by default and still have the fall back of
validateRequest just in case I miss something.

Any suggestions (besides turning it off)? I'm using .net 2.0 framework if
that helps at all. Thanks.

 

[Dominick Baier]

The request validation logic is hardcoded - you cannot use your own algorithms...

You have to turn it off and do it manually - a page base class would be a
good place to do that...

You also wanna have a look at MS' AntiXSS library which is much more robust
than HttpUtility.Encode().

But there is also more complexity to it than you might think - HtmlEncode
(as the name implies) only encodes for HTML output - but you also may do
more than that (e.g. embed stuff in XML or Script - in that case html encoding
won't help you)...

I e.g. like the approach of subclassing exisiting controls and add validation
logic there...

 

[clintmazur]

Thanks Dominick. I'll check out the MS' AntiXSS library. I haven't seen that
one yet.

I figured there wasn't a quick solution, thanks for confirming that. Good
point about the HTML encoding versus XML