|
Request Validation
Hi guys
I have a question regarding to how to do the request validation on user's input. We all know in asp.net. when user input something like <a>blah blah</a> by default, It will throw a HttpRequestValidationException say "A potentially dangerous Request.Form value was detected from the client ". And This validation can be turned off in the page. Now, I am quite annoy about all these exceptions cause by someone want to post some kinds of the ads on my website. And I really do not to disable the page request validation. The best the result for me will be I can do something about it before it reach the request validation event, like check the user input myself then redirect to some other pages. if user continue doing that, the system will automatically lock user's account, and send to an email to admin. Is there anyway I can achieve this? Or do you have better ideas? Any help will be appreciate? Thanks a lot Cheers Victor |
Re: Request Validation
I suggest you disable the page request validation and instead use
Microsoft's free Anti-Cross Site Scripting Library. http://msdn2.microsoft.com/en-us/security/aa973814.aspx If that doesn't work out for you, use a White List approach to specify only which characters are allowed - and deny all other characters. -- I hope this helps, Steve C. Orr, MCSD, MVP, CSM, ASPInsider http://SteveOrr.net "Victor" <victor@noemail.noemail> wrote in message news:C57D81B2-C25F-4436-8F48-AAFCC075FAB0@microsoft.com... > Hi guys > I have a question regarding to how to do the request validation on user's > input. We all know in asp.net. when user input something like <a>blah > blah</a> by default, It will throw a HttpRequestValidationException say "A > potentially dangerous Request.Form value was detected from the client ". > And This validation can be turned off in the page. > > Now, I am quite annoy about all these exceptions cause by someone want to > post some kinds of the ads on my website. And I really do not to disable > the page request validation. The best the result for me will be I can do > something about it before it reach the request validation event, like > check the user input myself then redirect to some other pages. if user > continue doing that, the system will automatically lock user's account, > and send to an email to admin. > > Is there anyway I can achieve this? Or do you have better ideas? Any help > will be appreciate? > Thanks a lot > Cheers > Victor |
RE: Request Validation
Hi Victor,
I agree with Steve here, with the Anti-Cross Site Scripting Library and turning off "validateRequest", you should be able to accept any input without vulnerable to marlicious script: Literal1.Text = "Hello " + Microsoft.Security.Application.AntiXss.HtmlEncode( TextBox1.Text) + "! Welcome to the examples!"; Regards, Walter Wang (wawang@online.microsoft.com, remove 'online.') Microsoft Online Community Support ================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. |
Re: Request Validation
Hi Steve and Walter:
Thanks for your help. This is really a good clue for me to solve my problem. I am still doing research on the AntiXss class. Hopefully, I can start use that soon.. cheers thans again for the help. Victor "Walter Wang [MSFT]" <wawang@online.microsoft.com> wrote in message news:II8F1ayzHHA.5836@TK2MSFTNGHUB02.phx.gbl... > Hi Victor, > > I agree with Steve here, with the Anti-Cross Site Scripting Library and > turning off "validateRequest", you should be able to accept any input > without vulnerable to marlicious script: > > Literal1.Text = > "Hello " + > Microsoft.Security.Application.AntiXss.HtmlEncode( TextBox1.Text) > + "! Welcome to the examples!"; > > Regards, > Walter Wang (wawang@online.microsoft.com, remove 'online.') > Microsoft Online Community Support > > ================================================== > When responding to posts, please "Reply to Group" via your newsreader so > that others may learn and benefit from your issue. > ================================================== > > This posting is provided "AS IS" with no warranties, and confers no > rights. > |
| All times are GMT. The time now is 02:03 PM. |
Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.