What characters or character combinations are invalid when the ValidateRequest parameter is set to true?

Question

What characters or character combinations are invalid when the ValidateRequest parameter is set to true?

I tried looking at Microsoft and Googling, but no one seemed to answer, and>. There is more than that. I noticed that the HTML starter of the & # object is not valid. Is there anything else? Does anyone have a complete list?

Thanks!

+6

security sql-injection .net asp.net xss

hyprsleepy Jun 25 '10 at 14:38

source share

2 answers

I do not have a complete list, but why is this needed? You can set ValidateRequest = false and prevent Script Injection for yourself.

You may find the list here: Allow percentages, angle brackets, and other naughty things in the ASP.NET/IIS URL

0

Tim schmelter Jun 25 '10 at 14:46

source share

Tommy · Accepted Answer · 2010-06-25T14:48:41+0000

List of characters by frame version

1.1 Checking the version of the Framework:
* &# * <alpha, <!, </ * script * On handlers like onmouseenter, etc… * expression( * Looks for these starting characters ('<', '&', 'o', 'O', 's', 'S', 'e', 'E') 
This is obviously a pretty strict list of items that fail validation. In version 2.0 of the Framework, Microsoft decided to relax the restrictions on this quite a bit. The following is a list of validation checks in the 2.0 Framework.
2.0 Framework Verification:
 * &# * <alpha, <!, </, <? * Looks for these starting characters ('<', '&') 

What characters or character combinations are invalid when the ValidateRequest parameter is set to true?

More articles: