Home > ASP.NET > Creating your own custom request validation

Creating your own custom request validation

Here’s the sample code to create your own custom request validation which allows all html tags except script tags

You will need to modify the web.config as well

<httpRuntime requestValidationType=”Globals.CustomRequestValidation”/>

NOTE: There is no current way to find out whether the page has validateRequest=false. I’ve submitted a feedback to Microsoft, click here to view the status of the request


Code

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Util;

namespace Globals
{
/// <summary>
/// Summary description for CustomRequestValidation
/// </summary>
public class CustomRequestValidation : RequestValidator
{
public CustomRequestValidation() { }
protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
{
//block script tags
var idx = value.ToLower().IndexOf(“<script”);
if (idx > -1)
{
validationFailureIndex = idx;
return false;
}
else
{
validationFailureIndex = 0;
return true;
}
}
}
}

About these ads
Categories: ASP.NET
  1. nll
    October 8, 2010 at 7:07 pm | #1

    This doesn’t seem to work on .net 4 am i doing something wrong?
    my web.config setting is

    serevr is win 2003 iis6

  2. kwanann
    October 11, 2010 at 8:49 am | #2

    Hi, pls provide a sample of your web.config, it should be a configuration issue

    • nll
      October 11, 2010 at 3:38 pm | #3

      Web.config file:
      —————————-

      <!– ignore 404

      –>

  3. nll
    October 11, 2010 at 3:41 pm | #4

    oops didn’t post corrctly see it at http://pastebin.com/qf2yCT3V

  4. October 14, 2010 at 7:46 am | #5

    the web.config looks decent enough. did you enter a breakpoint on the custom validator? it might be better to give the customvalidator a namespace e.g Globals just to be on the safe side

  5. nll
    October 14, 2010 at 4:01 pm | #6

    still doesn’t work. see http://pastebin.com/QtSftueu thats what i use. i even return true just to makesure it works.

    • October 19, 2010 at 10:08 pm | #7

      i installed a basic windows 2003 r2 sp2 server, installed the application role and .net 4.0. thereafter using the default site and a default.aspx, i used the following web.config and custom validator

      Web.config: http://pastebin.com/cnrpmti0
      Custom Validator: http://pastebin.com/d2dmd6yR

      setting the custom validator to always return false results in
      Server Error in ‘/’ Application.
      A potentially dangerous Request.PathInfo value was detected from the client (=””).
      Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. To allow pages to override application request validation settings, set the requestValidationMode attribute in the httpRuntime configuration section to requestValidationMode=”2.0″. Example: . After setting this value, you can then disable request validation by setting validateRequest=”false” in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. For more information, see http://go.microsoft.com/fwlink/?LinkId=153133.

      Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.PathInfo value was detected from the client (=””).

      Perhaps you might want to try to reduce your web.config or try it on a brand new project, it could be something is blocking this

  1. April 15, 2010 at 12:57 pm | #1
  2. July 11, 2012 at 9:41 am | #2

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: