You are currently browsing the category archive for the 'ASP.NET Request Validation - Preventing Script Attacks' category.
Objective: This article describes the request validation feature of ASP.NET which, by default, prevents the processing of unencoded HTML content submitted to the server. This request validation feature can be disabled when the application has been designed to safely process HTML data.
Background: More often than not, I use a rich text editor in my administrative forms to replace a multi-line text box for its obvious advantages. Rich text box editors are useful because they allow us to create layouts of text and images just like a word processor would providing a layer of aesthetics and convenience. This rich functionality is made possible by rapping the content with HTML/XHTML markup. This is all good and well with exception that ASP.NET 1.1 and above by default stops the submission of forms with such content for reasons of security – preventing the execution of malicious code. To allow such functionality to take place, we can simply add a directive at the top of our page to turn off request validation.
Procedure:
- Open the web form where HTML markup is going to be submitted in your form. Below is an example:
- Add the following to the page directive on top of the page like shown below. ValidateRequest=”False”.
- That’s it! Enjoy.
