0

My ASP.NET page contains "ValidateRequest = true". However, there is one textbox in the page for which I don't want ASP.NET to validate. Is there a way to make it false for that one control? If there isn't, is there a way to ignore the "Potential Threat" error, assuming it comes from that particular control?

Thanks

XSL
  • 2,965
  • 7
  • 38
  • 61
  • Why would you want to allow surreptitious input from any input control? – IrishChieftain Jan 16 '10 at 19:18
  • This is partly related to my other post: http://stackoverflow.com/questions/2045188/is-password-input-sanitization-required As the password is being hashed, I don't have to worry about that particular input as it's never displayed nor stored on the database. However, I'd like ASP.NET to cover the other inputs. – XSL Jan 16 '10 at 19:26

2 Answers2

0

Take a look at my question. Apparently .NET 4.5 now has support for excluding controls from the page request validation.

http://msdn.microsoft.com/en-us/library/system.web.ui.control.validaterequestmode.aspx

Community
  • 1
  • 1
ajbeaven
  • 9,265
  • 13
  • 76
  • 121
0

The only way I know of to do this would be to call the ValidateString of the HttpRequest class. Unfortunately, it is private, so you have to do it with reflection.

I have not tested this - it is not exactly the same code I use. it is adapted from code I wrote a few years ago, so maybe Microsoft has something new which make this easier.

MethodInfo _validateMethodInfo = typeof(HttpRequest).GetMethod("ValidateString", BindingFlags.NonPublic | BindingFlags.Static | BindingFlags.InvokeMethod);
foreach (string key in Request.Form.AllKeys) {
  if (key = "< skipped field name >") {
    continue;
  }
  object[] parameters = { Request.Form[key], key, "Request.Form" };
  _validateMethodInfo.Invoke(Request, parameters);
}
Ray
  • 21,485
  • 5
  • 48
  • 64