https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=Alexandre+HerzogOWASP - User contributions [en]2026-05-16T15:59:21ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=ASP.NET_Request_Validation&diff=102701ASP.NET Request Validation2011-01-31T14:04:36Z<p>Alexandre Herzog: <? is also considered as a dangerous tag in ASP.NET 2.0</p>
<hr />
<div>ASP.NET Provides built-in request validation on form submission or postback handling. Request validation is on by default, and is handled differently by versions of the framework. <br />
<br />
==ASP.NET 1.1 Request Validation Summary==<br />
<br />
*Filter "&#"<br />
*Filter ‘<’ then alphas or ! or / (tags)<br />
*Filter "script:"<br />
*Filter on handlers (onXXX=)<br />
*Filter “expression(“<br />
*Ignore elements named "__VIEWSTATE"<br />
<br />
<br />
==ASP.NET 2.0 Request Validation Summary==<br />
<br />
*Filter "&#"<br />
*Filter ‘<’ then alphas or ! or / or ? (tags)<br />
*Ignore elements with names prefixed with double underscore (__)<br />
<br />
<br />
==ValidateRequest Setting==<br />
===To toggle request validation (it is set to true by default):===<br />
<br />
On a single page:<br />
<br />
<%@ Page validateRequest="true|false" %><br />
<br />
For the entire application:<br />
<br />
<configuration><br />
<system.web><br />
<pages validateRequest="true|false" /><br />
</system.web><br />
</configuration><br />
<br />
===References===<br />
[http://phed.org/2008/04/23/aspnet-20-dumbs-down-request-validation/ ASP.NET 2.0 dumb’s down request validation (by Michael Eddington)]<br />
<br />
[http://keepitlocked.net/archive/2007/10/30/asp-net-validaterequest-and-the-html-attribute-based-cross-site-scripting.aspx ASP.NET ValidateRequest and the HTML Attribute Based Cross Site Scripting]<br />
<br />
[[Category:OWASP .NET Project]]</div>Alexandre Herzog