Geek Answers Handbook

Is it possible to delete some data using the HttpModule?

I am converting an old classic asp site to asp.net.

The application is an extension of the toolbox for this set of users, but it is hosted by an external provider.

To perform a smooth transfer to this application, it sends some XML data that causes the "potentially dangerous Request.Form value". I know that I can disable the validateRequest flag, but I would prefer not to.

I wrote an http module that takes this data and uses it to authenticate the user, is it possible to use the same module or another module to remove these "bad" values ​​in the message data before the data is "verified"?

Otherwise, if none of these ideas work, I am open to other suggestions.

+5
source share
3 answers

Yes. The following class implements the IHttpModule interface and the registers and registers that will fire before an HttpRequestValidationException is thrown. It checks to see if the request is POST and that "testinput" is not null, and then it encodes HTML. The class must be registered in your Web.config as httpModule.

class ...

using System;
using System.Collections.Specialized;
using System.Reflection;
using System.Web;

public class PrevalidationSanitizer : System.Web.IHttpModule
{
    private HttpApplication httpApp;

    public void Init(HttpApplication httpApp)
    {
        this.httpApp = httpApp;
        httpApp.PreRequestHandlerExecute += new System.EventHandler(PreRequestHandlerExecute_Event);
    }

    public void Dispose() { }

    public void PreRequestHandlerExecute_Event(object sender, System.EventArgs args)
    {
        NameValueCollection form = httpApp.Request.Form;

        Type type = form.GetType();

        PropertyInfo prop = type.GetProperty("IsReadOnly", BindingFlags.Instance 
            | BindingFlags.IgnoreCase | BindingFlags.NonPublic | BindingFlags.FlattenHierarchy);

        prop.SetValue(form, false, null);

        if (httpApp.Request.RequestType == "POST" != null 
            && httpApp.Request.Form["testinput"])
                httpApp.Request.Form.Set("testinput"
                    , httpApp.Server.HtmlEncode(httpApp.Request.Form["testinput"]));
    }
}

write to web.config ...

<system.web>
  <httpModules>
    <add type="PrevalidationSanitizer" name="PrevalidationSanitizer" />
...
+7
source

XML- HTML. , , "", , , ASP ASPX. , .

, , . , ASP , ASP.

ASP , ASP, XHR XML ashx, XML GUID. GUID , XML. ASPX GUID XML.

0

. validateRequest ?

Just make sure that you sanitized the input correctly and encoded it if you need to store it anywhere and / or make sure that you do not rotate the field into the browser without encoding it.

0
source

More articles:


All Articles