Difference between revisions of "ASP.NET Request Validation"
From OWASP
| Line 9: | Line 9: | ||
*Filter “expression(“ | *Filter “expression(“ | ||
*Ignore elements named "__VIEWSTATE" | *Ignore elements named "__VIEWSTATE" | ||
| + | |||
==ASP.NET 2.0 Request Validation Summary== | ==ASP.NET 2.0 Request Validation Summary== | ||
| Line 15: | Line 16: | ||
*Filter ‘<’ then alphas or ! or / (tags) | *Filter ‘<’ then alphas or ! or / (tags) | ||
*Ignore elements with names prefixed with double underscore (__) | *Ignore elements with names prefixed with double underscore (__) | ||
| + | |||
===To toggle request validation (it is set to true by default):=== | ===To toggle request validation (it is set to true by default):=== | ||
Revision as of 13:57, 29 April 2008
ASP.NET Provides built-in request validation on form submission or postback handling. Request validation is on by default, and is handled differently by versions of the framework.
Contents
ASP.NET 1.1 Request Validation Summary
- Filter "&#"
- Filter ‘<’ then alphas or ! or / (tags)
- Filter "script:"
- Filter on handlers (onXXX=)
- Filter “expression(“
- Ignore elements named "__VIEWSTATE"
ASP.NET 2.0 Request Validation Summary
- Filter &#
- Filter ‘<’ then alphas or ! or / (tags)
*Ignore elements with names prefixed with double underscore (__)
To toggle request validation (it is set to true by default):
On a single page:
<%@ Page validateRequest="true|false" %>
For the entire application:
<configuration>
<system.web>
<pages validateRequest="true|false" />
</system.web>
</configuration>
References
Validation - Preventing Script Attacks
ASP.NET 2.0 dumb’s down request validation (by Michael Eddington)
