how to try-catch potentially dangerous Request.Form value exception

[angus]

Dear All,

how to try-catch "A potentially dangerous Request.Form value was detected
from the client (txtUserName="<asdf")."
this exception?

i've set the debugger in the Page_InIt function, but this page is shown
before the Page_init function.

i know that i can set validateRequest="false" in my page, but how can i
try-catch it?


Thank you.

Regards,
angus

ref: http://asp.net/faq/images/requestValidation3.png

 

[Michael O'Donovan [MSFT]]

Hi Angus,

I assume you are trying to catch the exception so that you can show a
friendly error, log it and handle gracefully. I can think of 2 options:

1. Use the application_error method in the global.asax to catch the
exception and then take appropriate action. This is a pretty good article
for handling errors in asp .net
http://msdn.microsoft.com/asp.net/u...l=/library/en-us/dnaspp/html/CustomErrors.asp.
2. Do all form and data validation yourself. This would give you more
control on detecting potential attacks, and you could have you "try and
catch". However you may not cover all scenarios, hence I dont recommend this
option by itself.

I would actually go for both. Let ASP .Net detect malicious content, but
also do you own validation on form fields, querystings etc (i.e. all user
input). Tip: Don't try and create rules on what is not allowed, create
rules on what is allowed. E.g. don't create rules that disallow & and % and
^ and @ etc, rather create the rule that only allows 0-9, a-z and A-Z.
Hope this helps,
Michael