Geek Answers Handbook

Validate an ASP.NET request with HTML encoded characters

I have a text box in a form that should accept input with HTML tags.

Sending input with HTML tags makes the application throw an HttpRequestValidationException if we do not use HttpUtility.HtmlEncode . Easy so far.

However, the input may also contain characters, such as the degrees symbol (°). When they are also encoded in HTML, they become numeric escape codes, in this example ° . These codes also HttpRequestValidationException , but the question is why?

I cannot understand why numeric escape codes are considered potentially dangerous, especially if ° works as very simple.

I seem to be stuck as I leave the input as-because of the tags, and the HTML encoding of the input fails because of the numeric screens. My solution so far has been to encode HTML, and then the regular expression has replaced the escape sequences with their decoded HTML forms, but I'm not sure if this is a safe solution, since I assume that escape sequences are considered dangerous for some reason reason.

+4
source share
5 answers

This is because ASP.NET has built-in Cross-Site Scripting validation capabilities. There is some list of what is allowed and what is not ASP.NET, here on SO: Reasons for checking an ASP.NET request: is there a list?

In the specific case of # encoded characters, there is a complete reference to the XSS attacks available here: XSS (Cross Site Scripting) Cheat Sheet , which demonstrate how complex these attacks are and why coded characters are prohibited.

+2
source

ASP.NET considers html char escapes (& #xxx) dangerous for the same reason that it considers the angle bracket dangerous, that is, XSS. Using the above transition, you can turn on any character (for example, an angular bracket). Here's a summary of what query validation is done in versions 1.1 and 2.0.

For legal cases, such as your case, you can choose any of the below

  • Choose your own treatment as described by you.
  • Disable request validation on page level (<% @Page ValidateRequest = "false")
  • In .NET 4, replace your own request validation using the RequestValidator class.
+5
source

You can read the Exploits Script Overview in msdn help.

If you are sure that you are processing any possible input of malicious code on your page, you can disable the check using the page <% @validateRequest = "false"%>.

0
source

I would advise you to study limited HTML client-side coding, fairly easy access to jquery by attaching processing to the submit form.

What do I mean by limited? Ampersands, brackets, and quotation marks must be encoded, but not Unicode characters. You indicate that, in fact, the numerical emission codes are evil and reduced, unlike their unlimited equivalents!

You can run a string that you send through a javascript function similar to the following code, providing you a value that will pass the request check:

 function safeString(s) { return s.replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;").replace(/"/g, "&quot;"); }

This may cause you some sadness if, after saving it or performing server-side magic with the presented value, you want to re-display it inside the input. Let me clarify: if you just put a line encoded this way in an empty paragraph, it will display fine; however, if you upload it to a text box, you will see & lt; instead of <

Ironically, when writing the last sentence, I had to enter & lt < and & lt, respectively ...

0
source

Just add the directive (the first line of the page) this attribute to your page:

ValidateRequest = "false"

-2
source

More articles:


All Articles