Home About Us SQL Interview Book Contact Us RSS
Articles
Tools
Code Snippets
Links
Tips & Tricks
FAQ
Resources
Articles
Code Snippets
Links
FAQ
Resources

Saravana Kumar
Vinod Kumar


Request Validation - Preventing Script Attacks

     A new ASP.NET version 1.1 feature, request validation, prevents the server from accepting content containing un-encoded HTML. This feature is designed to help prevent some script-injection attacks whereby client script code or HTML can be unknowingly submitted to a server, stored, and then presented to other users. We still strongly recommend that you validate all input data and HTML encode it when appropriate. 

     .NET 1.1 framework automatically protects you from people performing script injections.  This is a form of hacking where somebody posts script in a post variable hoping to comprimise your website.  The automatic protection is a little rough, and throws the message"A Potentially dangerous request.form value was detected from the client.." even if harmless HTML tags are inserted.

You can turn off the protection for a single page by inserting this directive at the top:
 
                        <%@ Page validateRequest="false"  %>
 
Or you can turn it off for the entire website in the web.config file:
 
<configuration>
  <system.web>
    <pages validateRequest="false" />
  </system.web>
</configuration>