By default ASP.NET jumps through some hoops to protect your asp.net applications against malicious user input. It does this by scanning the data post back on tags which might contain unintended markup or even script. Take a page where the users enters something like
Now on postback asp.net will raise an exception
It suspects the <SCRIPT> piece of text. It will also suspect something like <B>
To prevent this you have to set the page directive validateRequest to false
Now all user input is accepted.
But you can still scan the user input for malicious input by using the ValidateInput() method of the Request. This methods validates three parts of the input
- Form variables
- QueryString
- Cookies
It does work in a somewhat strange matter. At first sight nothing happens. But the moment you touch one of the parts it is validated. In case it does contain suspected input an HttpRequestValidationException exception is thrown. This snippet of code demonstrates how to work with ValidateInput.
[Flags]
public enum RequestValid
{
AllInValid = 0,
FormValid = 1,
QueryStringValid = 2,
CookiesValid = 4
}
private RequestValid validateRequest()
{
RequestValid isValid = RequestValid.AllInValid;
Request.ValidateInput();
try
{
object touchForm = Request.Form;
isValid = isValid | RequestValid.FormValid;
}
catch(HttpRequestValidationException)
{
// Take action
}
try
{
object touchQueryString = Request.QueryString;
isValid = isValid | RequestValid.QueryStringValid;
}
catch(HttpRequestValidationException)
{
// Take action
}
try
{
object touchCookies = Request.Cookies;
isValid = isValid | RequestValid.CookiesValid;
}
catch(HttpRequestValidationException)
{
// Take action
}
return isValid;
}
You cannot influence what ValidateInput will scan for, that's hard coded. But it does issue a warning and you know what part of the input needs a closer investigation.