<body><script type="text/javascript"> function setAttributeOnload(object, attribute, val) { if(window.addEventListener) { window.addEventListener('load', function(){ object[attribute] = val; }, false); } else { window.attachEvent('onload', function(){ object[attribute] = val; }); } } </script> <div id="navbar-iframe-container"></div> <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script> <script type="text/javascript"> gapi.load("gapi.iframes:gapi.iframes.style.bubble", function() { if (gapi.iframes && gapi.iframes.getContext) { gapi.iframes.getContext().openChild({ url: 'https://www.blogger.com/navbar.g?targetBlogID\x3d8211560\x26blogName\x3dTech+Tips,+Tricks+%26+Trivia\x26publishMode\x3dPUBLISH_MODE_BLOGSPOT\x26navbarType\x3dBLUE\x26layoutType\x3dCLASSIC\x26searchRoot\x3dhttp://mvark.blogspot.com/search\x26blogLocale\x3den\x26v\x3d2\x26homepageUrl\x3dhttp://mvark.blogspot.com/\x26vt\x3d-5147029996388199615', where: document.getElementById("navbar-iframe-container"), id: "navbar-iframe" }); } }); </script>

Tech Tips, Tricks & Trivia

by 'Anil' Radhakrishna
An architect's notes, experiments, discoveries and annotated bookmarks.

Search from over a hundred HOW TO articles, Tips and Tricks


HOW TO manage the ASP.NET ValidateRequest property in different cases

Request Validation is a useful feature in ASP.NET that prevents potentially unsafe input from being submitted to the server with the ValidateRequest property.

By default, request validation is enabled in Machine.config. If a user inputs text through an ASP.NET page that has the property ValidateRequest="True", an ugly error page will be thrown. A neat way of handling this error, as shared by Kirk Allen Evans, is to override the OnError Method of the Page class & show a friendly message instead of the regular "A potentially dangerous... " message that could scare a timid user.

protected override void OnError(EventArgs e)
{
System.Exception oops = Server.GetLastError();

if(oops.GetBaseException() is System.Web.HttpRequestValidationException )
{
//System.Diagnostics.Debug.Assert(false);
//Response.Write(oops.ToString());
//Insert a friendly message asking user not to enter anything like tags.
Response.StatusCode = 200;
Response.End();
}
}

If ValidateRequest has to be set to False, you can cautiously constrain input through client & server-side validation with carefully crafted regular expressions to prevent cross-site scripting (XSS) attacks OR filter user input to allow safe HTML elements such as bold and italic tags OR fearlessly accept the input & encode output using the Server.HtmlEncode method.

Labels: ,

Tweet this | Google+ it | Share on FB

« Home | Next »
| Next »
| Next »
| Next »
| Next »
| Next »
| Next »
| Next »
| Next »
| Next »

»

Post a Comment