Creating your own custom request validation
Here’s the sample code to create your own custom request validation which allows all html tags except script tags
You will need to modify the web.config as well
<httpRuntime requestValidationType=”Globals.CustomRequestValidation”/>
NOTE: There is no current way to find out whether the page has validateRequest=false. I’ve submitted a feedback to Microsoft, click here to view the status of the request
Code
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Util;
namespace Globals
{
/// <summary>
/// Summary description for CustomRequestValidation
/// </summary>
public class CustomRequestValidation : RequestValidator
{
public CustomRequestValidation() { }
protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
{
//block script tags
var idx = value.ToLower().IndexOf(“<script”);
if (idx > -1)
{
validationFailureIndex = idx;
return false;
}
else
{
validationFailureIndex = 0;
return true;
}
}
}
}
This doesn’t seem to work on .net 4 am i doing something wrong?
my web.config setting is
serevr is win 2003 iis6
Hi, pls provide a sample of your web.config, it should be a configuration issue
Web.config file:
—————————-
<!– ignore 404
–>
oops didn’t post corrctly see it at http://pastebin.com/qf2yCT3V
the web.config looks decent enough. did you enter a breakpoint on the custom validator? it might be better to give the customvalidator a namespace e.g Globals just to be on the safe side
still doesn’t work. see http://pastebin.com/QtSftueu thats what i use. i even return true just to makesure it works.
i installed a basic windows 2003 r2 sp2 server, installed the application role and .net 4.0. thereafter using the default site and a default.aspx, i used the following web.config and custom validator
Web.config: http://pastebin.com/cnrpmti0
Custom Validator: http://pastebin.com/d2dmd6yR
setting the custom validator to always return false results in
Server Error in ‘/’ Application.
A potentially dangerous Request.PathInfo value was detected from the client (=”").
Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. To allow pages to override application request validation settings, set the requestValidationMode attribute in the httpRuntime configuration section to requestValidationMode=”2.0″. Example: . After setting this value, you can then disable request validation by setting validateRequest=”false” in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. For more information, see http://go.microsoft.com/fwlink/?LinkId=153133.
Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.PathInfo value was detected from the client (=”").
Perhaps you might want to try to reduce your web.config or try it on a brand new project, it could be something is blocking this