In the notes for Step 1 in the "How To: Prevent Cross-Site Scripting in ASP.NET" it is stated that you should "not rely on ASP.NET request validation. Treat it as an extra precautionary measure in addition to your own input validation."
View 2 Replies Do i have to validate cokkies, userinput, qurystring,database out for xxs , when my page is set to
ValidateRequest="true" ??
I'm developer moving from C# to Java. Heard about new ASP net feature. <%: %>. It renders object with html encoding. Only these impolementing IHtmlString interface are not encoded (to prevent double encoding).See more in http://weblogs.asp.net/scottgu/archive/2010/04/06/new-lt-gt-syntax-for-html-encoding-output-in-asp-net-4-and-asp-net-mvc-2.aspx
View 2 RepliesI have a textBox and a property to get and set its value:
public SomeText
{
get { return HttpUtility.HtmlEncode(textBox.Text); }
set { textBox.Text = HttpUtility.HtmlEncode(value); }
}
I have used HtmlEncode to prevent Javascript injection attacks. After thinking about it though I'm thinking I only need the HtmlEncode on the getter. The setter is only used by the system and can not be accessed by an external user.
I've got a free text form for people to submit feedback/support requests. ccasionally people will past in a support ticket or error log that contains something that triggers the .NET page validator as an XSS attempt. This takes the user to the error page as if the site choked on their input.Preferably, I'd rather have the page do some client-side validation when they press the save button before it's actually submitted.Is there a regex or some method I can hook into that would do the same basic check on the client side, or will I just have to write a regex that disallows certain characters all together like < and >?
View 1 RepliesOur database affected with SQL Injection. so We need to create a sql server 2005 new login for SQL Injection prevention. User can perform, access tables with select, update and delete queryaccess views, functions and stored proc perform cursor. what are the permissions given for that login account?
View 1 RepliesIt took me a little while to figure this out, but the AllowPaging="true" on the FormView seems to be the culprit. I don't have much experience paging from a FormView, but for this requirement the customers wants this kind of UI.I have a FormView with DefaultMode="Edit", which is bound to an EntityDataSource. One of the entity's properties, "ExternalID", determines whether some of the other properties in the entity are read-only. For example, if IsExternal==null, the FirstName, LastName, and Email fields should be rendered as TextBoxes. If IsExternal!=null, the 3 properties should be rendered in Label controls.
View 2 Repliestell me the use of Validaterequest False?
View 4 RepliesI'm using FreeTextBox HTML editor in some webforms in my asp.net project . if I do not set ValidateRequest property to false I get this error :
A potentially dangerous Request.Form value was detected from the client
It's OK in admin folder though , Because only authorized users have access to work with it . But how about public pages like sections where every users have access to leave comments(using FreeTextBox for collecting users comment ) ? Isn't risky for XSS Attack ? If the answer is not Yes , So what's ValidateRequest property for?
My ASP.NET page contains "ValidateRequest = true". However, there is one textbox in the page for which I don't want ASP.NET to validate. Is there a way to make it false for that one control? If there isn't, is there a way to ignore the "Potential Threat" error, assuming it comes from that particular control?
View 1 RepliesWhat is the difference between enableEventValidation and validateRequest? Although the former is on postback/callback caused by a control (Server side only I assume?, the latter is on every request, which is caused by a control posting back anyway? Or would validateRequest kick in by a standard html link being clicked?
View 2 RepliesI've got a ajax page with 2 panels on it. On Panel1 there is a next button. On that panel there is a pref. button and a next button. But if i put the pref. button he should do an action, but thats not possible because there are requestedfieldvalidators on that page. So i need to fill the page first, and then i can go back.
But on the next i want the validators. How can i make this possible?
What is the difference between validateRequest (which validates form and querystring values) and also enableeventvalidation, which works on post/call backs? In specific, what confuses me is that validateRequest can only be possible by a postback as this is how form values etc will be picked up?
View 1 RepliesFYI I am using .NET 4.0 / MVC 3. In my controller, the following is my code:
[HttpPost]
[ValidateInput(false)]
public ViewResult Edit(ContentTemplateView contentTemplateView, FormCollection collection)
Everything works fine when I don't enter HTML, so I know the proper controller is being fired. Also, I have following set properly in my web.config files:
<httpRuntime requestValidationMode="2.0"/>
I only get this problem when I include the FormCollection (which is needed for this particular Controller). So what exactly am I doing wrong? [I have done what was proposed on the following questions, and they work as long as there is no FormCollection. None of them offer a solution with an included FormCollection] Why is ValidateInput(False) not working? Asp.Net MVC Input Validation still firing after being disabled ValidateInput Attribute Doesn't Seem To Work in ASP.NET MVC
Here's the situation. I have an aspx page that is designed to receive a POST request with some XML values, parse the XML, grab the relevant items, and write them to the page. The problem arises when I try to launch the page using the POST request. When I launch using Fiddler, building the request manually and just pasting the XML in the body of the request everything works fine and dandy. When I launch the page from a basic HTML form, however, things don't go so great. The HTML form that I'm using looks like this:
[Code]....
When the page loads I get the error:
A potentially dangerous Request.Form value was detected from the client Everything I've read so far has told me that the solution is to add ValidateRequest="false" to the page directive in the top of the .aspx file, or in the pages element of the web.config file. But neither of these work. Afterwards, I still get the same error. Any idea what I need to do to make this work?
Is it possible to send a html text entered in asp.net text box without making validaterequest to false.
View 1 RepliesI just updated my project to ASP.NET 4. All of a sudden, some of my HttpHandlers are giving ValidateRequest errors. This is because the user HAS to be able to put an XML string in the querystring.I know how to disable ValidateRequest on a page, but how do I do it on an HTTPHandler?
View 1 RepliesI've noticed that setting ValidateRequest="true" on the page blocks input of the form • but not • - which are the same characters. Does anyone know why the first type is not allowed but the second type is?I really could not find a place where it defines what is meant by dangerous script and what is actually blocked when the ValidateRequest is set to true.
View 3 RepliesI have a textbox and i want the user to be able to submit a youtube embed code.
Is this possible without setting 'ValidateRequest' to false?
why the ValidateRequest dose not work when html tags had sent by __doPostBack method in javascript.
[Code]....
why the ValidateRequest dose not work when html tags had sent by __doPostBack method in javascript.
<script>
[Code]....
</script>
I have aproblem that when i add some special character in the textbox and submit the page it give error. A potentially dangerous Request.Form value was detected from the client (ctl00$ContentPlaceHolder1$txtname="<test>"). I found the solution of this porblem by ValidateRequest="false". But if i do this then the request will not be validate and then attacks probablity will be increase. what should i do to for this whithout using ValidateRequest attribute.
View 4 RepliesI have an approve button.on clicking on this button it should show that an inactive value is present .Onclicking yes conformation it should save the data or else clicking on no conformation should return false; how i will do that?After alert it always submit the data.Â
protected void ibtApprove_Click(object sender, ImageClickEventArgs e)
{
string otherAffiliateName = txtRequestedAffiliate.Text;
int inActiveAffiliates = new BLRating().InActiveAAffiliateChecking(otherAffiliateName);
if (inActiveAffiliates > 0)
[code]...
This is the code i used.how i wiil stay back on Confirm 'no' click?
Suppose a CheckBox has name "cbFoo". When it is checked, ViewData["cbFoo"] returns "true,false" instead of just "true".
View 11 RepliesI'm using a php script to http post some xml files to a .net URL.
When I submit I get the response:
A potentially dangerous Request.Form
value was detected from the client
(<?xml version="...UTF-8"?> <!DOCTYPE
cXML SYSTE...").
Description: Request Validation has detected a potentially dangerous client input value, and
processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.
As I'm not using .NET I can't set ValidateRequest="false" in web.config.
Do I need to sanitize my xml before submitiing? How can I do this?