Do sites like Stackoverflow or asp.net use validateRequest= "false" at their page directive? If "Yes" then how they are checking the user input and if "NO" then how they are able to postback the data ?
Asked
Active
Viewed 822 times
1 Answers
1
The main things Validate Request is looking for are < and > characters, to stop you opening your site up to malicious users posting script and or HTML to your site.
Answer to the second question When ValidateRequst="false"
When request validation is disabled, content can be submitted to a page; it is the responsibility of the page developer to ensure that content is properly encoded or processed
For the encoding data : Content can be easily HTML-encoded on the server using the Server.HtmlEncode(string) API. Content can also be easily HTML-decoded, that is, reverted back to standard HTML using the Server.HtmlDecode(string) method.
Pranay Rana
- 175,020
- 35
- 237
- 263
-
Thanks for your reply but this is not the complete answer, I just want to know that how these sites are dealing with the malicious inputs, just in case if they make ValidateRequest = false? I mean how they are verifying the input at the server side if they disablle validate request. – Zerotoinfinity Aug 12 '10 at 06:51
-
read the article link -- by the way by encoding data they avoid script attach -- go to article which give you more info : http://www.asp.net/learn/whitepapers/request-validation/ – Pranay Rana Aug 12 '10 at 06:53
-
So does it mean that doing Encoding at server side called as the validation of malicious input at server side ?? – Zerotoinfinity Aug 12 '10 at 06:58
-
yes that only thing you can do if validaterequest is set to false – Pranay Rana Aug 12 '10 at 07:00