how can we apply client side validation on fileupload control in ASP.NET to check filename contain special character?

Question

I am working on ASP.NET3.5 platform. I have used a file upload control and a asp button to upload a file. Whenever i try to upload a file which contain special characterlike (file#&%.txt) it show crash and give the messeage

--------------------------------------------------------------------------------
Server Error in 'myapplication' Application.
--------------------------------------------------------------------------------

A potentially dangerous Request.Files value was detected from the client 
 (filename="...\New Text &#.txt").
Description: Request Validation has detected a potentially dangerous client input
value, and processing of the request has been aborted. This value may indicate an
attempt to compromise the security of your application, such as a cross-site 
scripting attack. You can disable request validation by setting 
validateRequest=false in the Page directive or in the configuration section. 
However, it is strongly recommended that your application explicitly check all 
inputs in this case. 

Exception Details: System.Web.HttpRequestValidationException: A potentially 
dangerous Request.Files value was detected from the client 
      (filename="...\New Text &#.txt").

Source Error: 

An unhandled exception was generated during the execution of the current web 
request. Information regarding the origin and location of the exception can be
identified using the exception stack trace below.  

--------------------------------------------------------------------------------

how can i prevent this crash using javascript at client side?

Answer 1

A very simple solution is to validate the filename on click of the button (or some other control) that triggers upload like this and stop upload if there is some problem with filename:

<asp:FileUpload ID="fu1" runat="server" />
<asp:Button ID="btn" runat="server" CausesValidation="true" Text="Click" 
           OnClientClick="return ValidateFileName();" /> 

<script type="text/javascript">
    function ValidateFileName() {
        var fu = document.getElementById("<%= fu1.ClientID %>");
        var f = fu.value + "";
        if ((f.indexOf("#", 0) >= 0) || (f.indexOf("$", 0) >= 0) ||
              (f.indexOf("%", 0) >= 0) || (f.indexOf("^", 0) >= 0)) {
            alert("Filename: [" + f + "] contains invalid char");
            return false;//will stop button click event here
        }

        return true;
    }
</script>

Answer 2

In an answer similar your other question, you cannot "know" the filename of the files that are being uploaded on the client side, because the browser does not let the javascript see that. As I said on that question, you can use something like SWFupload to give you a bit more control on the client-side and detect this if you like.

You can also take a look at this question for some ideas on how to disable the validation on the server-side.

Answer 3

The ASP.NET page validation just allows you to be lazy and not bother checking your inputs for characters which COULD be used for some sort of attack. However, if you're following good programming practices such as Html.Encode-ing things you display and using parameters for SQL queries, this validation is a lot less useful and I find gets in the way!

Disable it for your file upload page by setting validateRequest=false in the page directive. Just make sure you are checking any other values being entered on that page.