Geek Answers Handbook

Not dangerous if I set ValidateRequest to false?

I am using the FreeTextBox HTML editor in some web forms in my asp.net project. if I do not set the ValidateRequest property to false, I get this error:

The potentially dangerous Request.Form value was detected by the client

This is normal in the admin folder, because only authorized users have access to work with it. But what about public pages such as sections where each user has access to comments (using FreeTextBox to collect user comments)? Not dangerous for an XSS attack? If the answer is not Yes, then what is the ValidateRequest property for?

+4
source share
4 answers

No, you're right, this is potentially dangerous. The idea is that .net does not want to limit what can be done with this control, but at the same time remove many of the possibilities for a security hole. The ValidateRequest property exists, so you can tell ASP.NET: β€œHey, don’t worry about it. I’m going to test it myself because I expect that something might seem dangerous to you.”

He set up default response checking, because it’s dangerous not to check for potential xss attacks, and it’s better to get a verification error that you did not understand than hacked your site.

+6
source

Yes, it’s normal to disable request validation.

Request validation uses the most common characters and phrases used in XSS attacks and similar ones, but cannot catch all possible ways to commit an exploit. Thus, while query validation offers protection against most exploits, you are never fully protected by it, you will still have to consider all input as potentially evil.

The first goal of request verification is to protect applications created by people who are not aware of XSS attacks, etc., so that they are not completely insecure. If you know how to correctly process data input, as well as correctly implement them, query verification is not required.

+3
source

See ValidateRequest on MSDN. This indicates that the input is being scanned for potentially dangerous content. All this is good and fine if you use only input fields, etc. For plain text. The problem starts when you want your user to provide, for example. a link to some other page or start storing additional data (for example, an XML form) in hidden input fields. ValidateRequest will not tolerate this kind of content. ValidateRequest is a kind of nice feature that I almost always end up disconnecting, but disabling it means you need to do some validation on your input yourself. In my opinion, you should always check the input yourself.

+1
source

FreeTexBox control and "potentially dangerous Request.Form value was detected by the client"

You can try another solution.

if(!this.Page.ClientScript.IsOnSubmitStatementRegistered("Replace")) { string script = @"if (Page_IsValid){FTB_API['" + txtBox.ClientID + @"'].initialized=false; FTB_API['" + txtBox.ClientID + @"'].htmlEditor.value=FTB_FreeTextBox.prototype.HtmlEncode( FTB_API['" + txtBox.ClientID + @"'].htmlEditor.value);}"; this.Page.ClientScript.RegisterOnSubmitStatement(this.Page.GetType(), "Replace", script); }

and do not forget to replace the characters when sending a string from the server to the client application

 if(!String.IsNullOrEmpty(yourstring)) txtBox.Text= yourstring.Replace("&gt;", ">").Replace("&lt;", "<").Replace("&amp;", "&").Replace("&quot;", ('"').ToString()).Replace("&#146;", "'");

In this case, you do not need to disable ValidateRequest. You can also replace characters before storing a string in the database.

+1
source

More articles:


All Articles