1

I have a legacy ASP.NET application(VS2005) with around 62 pages and 84 textbox controls spread across them(varies between 2 and 6 textboxes per page). I would like to implement validation to prevent submission of special characters which would otherwise lead to XSS vulnerabilities. Is there a way to implement a global validation function that applies to all textbox controls throughout the application in one go?(Trying to avoid using one validator per textbox, minimising. changes to existing code).

Thanks in advance

Dev
  • 1,451
  • 20
  • 30
  • Well, I don't think you're able to post something in webforms to the server that starts with `<`. Problem solved ;) – Johan Oct 28 '13 at 22:54
  • @Johan, hint: disable event validation? – naveen Oct 28 '13 at 23:08
  • @Johan It's not just about < sign. I have a regular expression with bunch of characters. The issue is about applying one regular expression validator globally- associated with each textbox control throughout the application but done in one place, if possible. For persistent XSS you do not need < sign. Its equivalent encoded forms can also be used. – Dev Oct 28 '13 at 23:16

3 Answers3

0

You can use inheritance to solve this issue:

Step 1: Create a static method in base class

// Return true if is in valid e-mail format.
public static bool IsValidEmail( string sEmail )
{       
    return Regex.IsMatch(sEmail, @"^[\w!#$%&'*+\-/=?\^_`{|}~]+(\.[\w!#$%&'*+\-/=?\^_`{|}~]+)*"+ "@"+ @"((([\-\w]+\.)+[a-zA-Z]{2,4})|(([0-9]{1,3}\.){3}[0-9]{1,3}))$");
}

Step 2: Assign this method for all the text boxes needed for validation in Child class

Example: 

if (this.TextboxEmail.Text.Length > 0 && 
    IsValidEmail(this.TextboxEmail.Text) == false)
{
    ErrMssg("Invalid Email");
}
Karl Anderson
  • 34,606
  • 12
  • 65
  • 80
Matrix8898
  • 1
  • please read the question again. It's not about e-mail validation in all the pages. – Dev Oct 28 '13 at 23:59
0

You could listen for the submit event and prevent it in case one or more textboxes contains a certain pattern:

$(function(){

    $('form').on('submit', function(e){

        var $invalidTextboxes = $('input[type="text"]').filter(function(){
            return this.value.match(/abc+d/); //your pattern here
        });

        if($invalidTextboxes.length){
            alert('invalid textbox value');
            e.preventDefault();
        }

    });

});

If you have more forms on the page and want to pinpoint the one generated by webforms:

How to capture submit event using jQuery in an ASP.NET application?

Community
  • 1
  • 1
Johan
  • 35,120
  • 54
  • 178
  • 293
0

The better and generic way to perform validations at the global level would be to take the help of HTTP Module.

You can add a new c# class inheriting from module class. Inside the class, you can add the iteration on the form elements and perform the desired validations. This will help you build the generic implementation of textbox validations at the global level.

  class XssModule : IHttpModule
    {

        #region IHttpModule Members
        public void Init(HttpApplication application)
        {
          application.PostAcquireRequestState += new EventHandler(Application_PostAcquireRequestState);
        }

        public void Dispose()
        {
        }

        #endregion

        private void Application_PostAcquireRequestState(object sender, EventArgs e)
        {

            if (HttpContext.Current.Session != null)
            {
             //Perform the iteration on the form elements here.                 
            }
        }
    }
Karan
  • 3,265
  • 9
  • 54
  • 82