1

I've kind of just discovered that because ValidateRequest = true by default, that by default, you cannot enter "<" or ">" into any input field.

Not knowing too much about XSS attacks, for me, that seems quite restrictive.

To get around that, I've realized I can use validateRequest = false, and to encode the user data. Obviously, Microsoft has a good reason to put validateRequest = true, so the problem now is I have a whole site with lots of pages, all with this "can't put < or > problem".

My question is do I only have two options?

1) Leave validateRequest = true and not allow the user to enter < or > at all 2) switch validateRequest = false and take preventative measures.

If for 2, am I meant to encode all data input? Like from text fields from logins and passwords to user text to search criterias? Or do I only need to do it to some of the input? If so, which fields should I target?

Diskdrive
  • 18,107
  • 27
  • 101
  • 167
  • As far as I can tell you are correct in that you only have two options. I don't know of a clean way of preventing the user from entering special characters. You don't want exceptions thrown if users enter in < or >. And you don't want to set ValidateRequest="False" and then later someone adds an input control to the page and forgets to properly encode it before using it, thus leaving you open for a scripting attack. I'm not happy with any of it either. I think Microsoft just threw a bandaid on this in 4.0. Hopefully they will figure out a better way in future versions for handling this. – MikeTeeVee May 25 '11 at 01:25

2 Answers2

1

I ran into this same problem to and found the answer on Stack Overflow here:
A potentially dangerous Request.Form value was detected from the client

Read the high-ranked comment in the marked answer.
This is what I use in my Web.Config because I'm using the .net 4.0 framework:

<httpRuntime requestValidationMode="2.0" />

Then I add ValidateRequest="false" on a page-by-page basis:

<%@ Page Title="" Language="C#" MasterPageFile="~/MasterPages/Site.Master"
    AutoEventWireup="true" CodeBehind="ScheduleAppointment.aspx.cs"
    Inherits="DentalPower.Pages.Public.ScheduleAppointment"
    ValidateRequest="false" %>

It would be nice if Asp.net TexBoxes had a feature where I could set a ForceEncode property to true that would automatically encode input before sending. Maybe they will do that... someday.

Oh, and always encode all your input from web controls on the page you disable Validation.

Community
  • 1
  • 1
MikeTeeVee
  • 18,543
  • 7
  • 76
  • 70
0

To the best of my knowledge your are correct. Either leave validation on or do it manually yourself. The trouble is that the default validation is extremely strict and is not practical in a lot of situations (so many web apps I've seen just turn it off site-wide without much thought to the consequences).

For your reference, a great article on code escaping is http://wonko.com/post/html-escaping

Judo
  • 5,167
  • 3
  • 24
  • 34