This post originated from an RSS feed registered with .NET Buzz by Peter van Ooijen. Original Post: Protecting an ASP.NET page against malicious input with ValidateRequest (A potentially dangerous... Feed Title: Peter's Gekko Feed URL: /error.htm?aspxerrorpath=/blogs/peter.van.ooijen/rss.aspx Feed Description: My weblog cotains tips tricks and opinions on ASP.NET, tablet PC's and tech in general. Latest .NET Buzz Posts Latest .NET Buzz Posts by Peter van Ooijen Latest Posts From Peter's Gekko

By default ASP.NET jumps through some hoops to protect your asp.net applications against malicious user input. It does this by scanning the data post back on tags which might contain unintended markup or even script. Take a page where the users enters something like

Now on postback asp.net will raise an exception

It suspects the <SCRIPT> piece of text. It will also suspect something like <B>

To prevent this you have to set the page directive validateRequest to false

Now all user input is accepted.

But you can still scan the user input for malicious input by using the ValidateInput() method of the Request. This methods validates three parts of the input

• Form variables
• QueryString
• Cookies

It does work in a somewhat strange matter. At first sight nothing happens. But the moment you touch one of the parts it is validated. In case it does contain suspected input an HttpRequestValidationException exception is thrown. This snippet of code demonstrates how to work with ValidateInput.

You cannot influence what ValidateInput will scan for, that's hard coded. But it does issue a warning and you know what part of the input needs a closer investigation.