This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
ASP.NET Request Validation
From OWASP
Revision as of 13:18, 29 April 2008 by Mroxberr (talk | contribs) (New page: ASP.NET Provides built-in request validation on form submission or postback handling. Request validation is on by default, and is handled differently by versions of the framework. ==ASP...)
ASP.NET Provides built-in request validation on form submission or postback handling. Request validation is on by default, and is handled differently by versions of the framework.
ASP.NET 1.1 Request Validation Summary
*Filter "&#" *Filter ‘<’ then alphas or ! or / (tags) *Filter "script:" *Filter on handlers (onXXX=) *Filter “expression(“ *Ignore elements named "__VIEWSTATE"
ASP.NET 2.0 Request Validation Summary
*Filter &# *Filter ‘<’ then alphas or ! or / (tags) *Ignore elements with names prefixed with double underscore (__)
To disable request validation:
On a single page:
<%@ Page validateRequest="false" %>
For the entire application:
<configuration> <system.web> <pages validateRequest="false" /> </system.web> </configuration>
References
Validation - Preventing Script Attacks
ASP.NET 2.0 dumb’s down request validation (by Michael Eddington)