Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / General / July 2007

Tip: Looking for answers? Try searching our database.

Request Validation

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Victor - 25 Jul 2007 14:04 GMT
Hi guys
I have a question regarding to how to do the request validation on user's
input. We all know in asp.net. when user input something like <a>blah
blah</a> by default, It will throw a HttpRequestValidationException say "A
potentially dangerous Request.Form value was detected from the client ". And
This validation can be turned off in the page.

Now, I am quite annoy about all these exceptions cause by someone want to
post some kinds of the ads on my website. And I really do not to disable the
page request validation. The best the result for me will be I can do
something about it before it reach the request validation event, like check
the user input myself then redirect to some other pages. if user continue
doing that, the system will automatically lock user's account, and send to
an email to admin.

Is there anyway I can achieve this? Or do you have better ideas? Any help
will be appreciate?
Thanks a lot
Cheers
Victor
Reply to this Message
Steve C. Orr [MCSD, MVP, CSM, ASP Insider] - 25 Jul 2007 14:30 GMT
I suggest you disable the page request validation and instead use
Microsoft's free Anti-Cross Site Scripting Library.
http://msdn2.microsoft.com/en-us/security/aa973814.aspx

If that doesn't work out for you, use a White List approach to specify only
which characters are allowed - and deny all other characters.

Signature

I hope this helps,
Steve C. Orr,
MCSD, MVP, CSM, ASPInsider
http://SteveOrr.net

> Hi guys
> I have a question regarding to how to do the request validation on user's
[quoted text clipped - 16 lines]
> Cheers
> Victor
Reply to this Message
Walter Wang [MSFT] - 26 Jul 2007 02:45 GMT
Hi Victor,

I agree with Steve here, with the Anti-Cross Site Scripting Library and
turning off "validateRequest", you should be able to accept any input
without vulnerable to marlicious script:

Literal1.Text =
"Hello " + Microsoft.Security.Application.AntiXss.HtmlEncode(TextBox1.Text)
+ "! Welcome to the examples!";

Regards,
Walter Wang (wawang@online.microsoft.com, remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
Reply to this Message
Victor - 31 Jul 2007 02:58 GMT
Hi Steve and Walter:
Thanks for your help. This is really a good clue for me to solve my problem.
I am still doing research on the AntiXss class. Hopefully, I can start use
that soon..
cheers thans again for the help.

Victor

> Hi Victor,
>
[quoted text clipped - 18 lines]
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.