Jon Box's Weblog

 


.NET Articles by the Atomic group

MSDN RDs









Subscribe to "Jon Box's Weblog" in Radio UserLand.

Click to see the XML version of this web page.

Click here to send an email to the editor of this weblog.

 

 

  Friday, October 17, 2003


Securing .NET Compact Framework Solutions
Just as Microsoft has rededicated itself to security through its Trustworthy Computing Initiative, your organization should be sure to design and implement its .NET Compact Framework applications using secure coding practices and principles. In this .NETDJ column Dan Fox reviews what you'll need to consider to implement security at the device, application, and communication layer.

11:48:11 PM    comment []

I know that there has to be a better way to do this.  But here goes anyway.  I'm doing some testing in a ASP.NET prototype that will later become a Web Service.  For now, I'm just serializing the response per Jeff's snippet and showing within a ASP.NET TextBox server control.  However, when I do a second postback, I get this error.

A potentially dangerous Request.Form value was detected from the client...

Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (TextBoxResult="...="1.0"?> <RespType ...").

I know that helping the application prevent malicious input is a good thing in this crazy evil world, but I trust the input since I am the only user of this test code.  So, I want to disable this.  ASP.NET to the rescue again.  Just add a ValidateRequest="false" to the @Page attribute in the ASPX file to disable the feature for the current page.  You could also disable for all applications in the Machine.Config, but DO NOT DO THAT.

Another option would be to encode the output to the client with the following: Server.HtmlEncode( TextBox1.Text ).  Then, is doesn't appear as XML b/c all of the tag brackets are now text equivalents.  However, it doesn't look like XML anymore.

Anyway, this is just a testing fact, not to be used in production...

 


11:01:06 AM    comment []


Click here to visit the Radio UserLand website. © Copyright 2004 Jon Box.
Last update: 8/31/2004; 11:59:54 PM.

October 2003
Sun Mon Tue Wed Thu Fri Sat
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31  
Sep   Nov