Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > How to compromise on ValidateRequest?

Reply
Thread Tools

How to compromise on ValidateRequest?

 
 
AFN
Guest
Posts: n/a
 
      06-15-2004
I have a form with 15 fields. I want users to be able to enter "<" and ">"
characters into 1 of those fields without IIS catching it and disallowing
the whole page. I did some reading and I *think* that means I MUST set
ValidateRequest=False. So, two questions:

1) Do I have to then pass the results of every one of those 15 fields into
HtmlEncode? like strAfter = HtmlEncode(txtField1.text)? That's annoying
when I only want to allow 1 field to have the "<" ">" values.

2) What does the < character turn into when you do HtmlEncode? Generally.
I don't want it to turn into something like %20. If that is what it does,
then what other function can I use to test that my input is safe but still
keep it as < or >?


 
Reply With Quote
 
 
 
 
Martin Marinov
Guest
Posts: n/a
 
      06-15-2004
Yes you must set ValidateRequest=False to disable .net framework to check
for "<" and ">" symbols.
also there is a bug in the VlidateRequest that enables to write in the form
fields "<%00"
so the answers :
1 ) You have to htmlencode all the fields that you will show on the page (
it is recommended to htmlecode all of data )
2 ) character "<" is turn into &lt; and character ">" - to &gt;

to do this i whould suggest you to create an CustomValidator controls for
every 14 fields BUT these 14 validators will use one function to check and
htmlecode the data

Hope this helps
Regards
Martin

"AFN" <(E-Mail Removed)> wrote in message
news:F5uzc.1587$(E-Mail Removed)...
> I have a form with 15 fields. I want users to be able to enter "<" and

">"
> characters into 1 of those fields without IIS catching it and disallowing
> the whole page. I did some reading and I *think* that means I MUST set
> ValidateRequest=False. So, two questions:
>
> 1) Do I have to then pass the results of every one of those 15 fields into
> HtmlEncode? like strAfter = HtmlEncode(txtField1.text)? That's annoying
> when I only want to allow 1 field to have the "<" ">" values.
>
> 2) What does the < character turn into when you do HtmlEncode? Generally.
> I don't want it to turn into something like %20. If that is what it

does,
> then what other function can I use to test that my input is safe but still
> keep it as < or >?
>
>



 
Reply With Quote
 
 
 
 
bruce barker
Guest
Posts: n/a
 
      06-15-2004
ValidateRequest=False is to prevent a common coding error. take the common
welcome message

John, welcome to my site

if implement as

<%= UserName %>, welcome to my site

you page is open to a scripting hack. the user when they enter their name
can input <script>....</script>. the fix is when output a user input data as
html is to encode it when rendered.

<%= HttpUtility.HtmlEncode(UserName) %>, welcome to my site

is complely safe. this is more of a problem when user enter data that is
displayed on other peoples pages, then the script can do more damage.

note: as any user can run arbitrary javascript on your page thru the
address bar, you should design your page to not trust postback values
(especially hidden fields)

-- bruce (sqlwork.com)




"AFN" <(E-Mail Removed)> wrote in message
news:F5uzc.1587$(E-Mail Removed)...
> I have a form with 15 fields. I want users to be able to enter "<" and

">"
> characters into 1 of those fields without IIS catching it and disallowing
> the whole page. I did some reading and I *think* that means I MUST set
> ValidateRequest=False. So, two questions:
>
> 1) Do I have to then pass the results of every one of those 15 fields into
> HtmlEncode? like strAfter = HtmlEncode(txtField1.text)? That's annoying
> when I only want to allow 1 field to have the "<" ">" values.
>
> 2) What does the < character turn into when you do HtmlEncode? Generally.
> I don't want it to turn into something like %20. If that is what it

does,
> then what other function can I use to test that my input is safe but still
> keep it as < or >?
>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to compromise with other programer/PM's bug? Boki Java 22 12-08-2005 12:08 PM
EXPLORER hole can crash PCs and compromise systems AeoN Computer Support 0 07-04-2005 05:09 PM
Sony willing to compromise on Blu-ray vs. HD-DVD? Allan DVD Video 0 03-24-2005 04:59 PM
Canon PRO1/ sensor-lens compromise done right? Guenter Fieblinger Digital Photography 21 03-02-2004 08:50 AM
No compromise new ultra slim 5 MP zoom camera from Sony - DSC-T1 Hans-Georg Michna Digital Photography 0 10-31-2003 08:15 AM



Advertisments