Why is ValidateRequest = "true" not enough to prevent XSS?

Question

Why is ValidateRequest = "true" not enough to prevent XSS?

The notes for step 1 of “How to: Disable Cross-Site Scripting in ASP.NET” indicate that you should “not rely on ASP.NET request validation. Consider this as an extra precaution in addition to your own input validation”.

Why is this not enough?

+6

c # .net asp.net xss

Peter Evjan Apr 1 '10 at 9:19

source share

2 answers

Philpursglove · Answer 1 · 2010-04-01T09:32:10+0000

On the one hand, hackers always come up with new attacks and new ways to insert XSS. ASP.NET RequestValidation is only updated when a new version of ASP.NET is released, so if someone comes up with a new attack the day after the ASP.NET RequestValidation is issued, it will not catch it.

This (I believe) is one of the reasons the AntiXSS project came about , so it may have a faster release cycle.

realMarkusSchmidt · Answer 2 · 2010-04-01T09:58:55+0000

Just two tips:

Your application may not only display data that has been entered using ASP.NET forms. Think about web services, RSS feeds, other databases, information extracted from user downloads, etc.
Sometimes it is necessary to disable default authentication (effective, but too simple), because you need to accept angle brackets in your forms. Think of the WYSIWYG editor.

Why is ValidateRequest = "true" not enough to prevent XSS?

More articles: