A potentially dangerous client input value

[andreister]

Hi there,

I've come across the next problem: angle brackets in values being sent
to a server.
Because of this stuff HttpRequestValidationException occurs (FW 2.0).

It seems that the validateRequest being set to FALSE should help (e.g.,
http://kb.seekdotnet.com/ViewArticle.aspx?ID=42)... but I need to
support FW 1.0 as well as its successors!!!

Not sure I see any way to fix this at one ample swoop.
Maybe anybody could help dope out a solution?

Thanks,
Andrew

 

[=?ISO-8859-1?Q?G=F6ran_Andersson?=]

I'm not sure about framework 1.0, but the ValidateRequest attribute is
at least supported from framework 1.1.

 

[Cowboy \(Gregory A. Beamer\)]

Validate with Regular expressions. It allows you to set up a condition that
fails angle brackets without losing validation. Your other option is
validation up the stack, but you will want to validate prior to taking an
expensive trip to the database.

--
Gregory A. Beamer

*************************************************
Think Outside the Box!
*************************************************

 

[andreister]

Hummm, maybe I was not so clear.
Actually the problem is that FW1.0 works okay (without exceptions, no
wonder) but FW2.0 throws an HttpRequestValidationException.

I have to support both, and my intent is to allow angle brackets in
request variables. For FW2.0 it could be done by adding a false
validationRequest attribute either to a page or to the web.config file.
But this would break FW1.0 because the attribute isn't defined there.

Hope now my problem becomes more evident

Though here seems to be a workaround. I guess, validation should occur
in this way:

-- HttpRequest refers to the Form field or to the QueryString field or
something
-- HttpRequest.ValidateNameValueCollection
-- HttpRequest.ValidateString

So I could catch an HttpException wherever I address such fields in my
code. Looks like this should behave like validateRequest=false
approach.