Tuesday, April 15, 2003

Source: A Blog for Graymad; 4/14/2003; 6:15:03 PM

Important info on Request Validation.

Yosi Taguri writes:

we've moved our code into vs.net 2003

we noticed a problem when passing parameters to the server that contained xml code

we got "A potentially dangerous request......"

searching thru google came up with this:

http://www.asp.net/faq/RequestValidation.aspx

a neat explenataion to a new feature in 1.1..

u can disable it with :

<configuration>
  <system.web>
    <pages validateRequest="false" />
  </system.web>
</configuration>

in your web.config / machine.config

[Yosi Taguri]

It's very important to point out (for the benefit of those who don't follow the link), that you should NOT turn off request validation unless you have implemented your own input filtering/validation code. It can be very challenging to get this stuff right, which is likely part of why the request validation feature was added.

If you don't need to allow HTML tags or HTML-encoded input, just leave request validation turned on, and provide a handler for the exception it throws.

If you DO need to allow HTML input on a given page, turn off request validation at the page level using the validateRequest attribute of the @ Page directive, rather than turning it off at the machine or application level. That way, if you (or someone on your team) adds a page later than accepts input, that page will be automatically protected..

[A Blog for Graymad]

12:00:55 PM    trackback []     Articulate [] 


© Copyright 2003 Dewayne Mikkelson .
Last update: 12/27/2003; 9:24:02 AM .

Click here to visit the Radio UserLand website. Valid CSS! Subscribe to "dotNET" in Radio UserLand. Click to see the XML version of this web page. Click here to send an email to the editor of this weblog.