Request Validation – Preventing Script Attacks


By default, the application is prevented from processing unencoded HTML content submitted to the server (it means page validaterequest=true & it help us to prevent script attacks ).

This request validation feature can be disabled when the application has been designed to safely process HTML data. When ever you work with DotNetNuke this feature is disabled by default.

Now question comes in mind that in such cases how to “Preventing Script Attacks”.

One solution can “stop submitting input that contains such scripts or we can say html tags”.
so that we can prevent script attack.

Here is one solution using RegularExpressionValidator.

Suppose we are having textbox that takes some input text from the user & we do not want them to type any html tags than here is the code for that :


<asp:TextBox runat="server" ID="txtName"></asp:TextBox>

<asp:RegularExpressionValidator runat="server" ID="regName" ControlToValidate="txtName" Display="Dynamic" ValidationGroup="Employeevalgrp" ValidationExpression="^[^<>]+$" ErrorMessage="Html tags are not allowed."/>

<asp:Button runat="server" ID="btnSaveEmployeeInfo" ValidationGroup="Employeevalgrp"
    CausesValidation="true" OnClick="btnSaveEmployeeInfo_Click" />

Here when user press button, validator will validate the input text & submit the text only if it passes thru the validation test.

Here I must say that we are not validating request, we are just validating input that is going to be submitted to the server.

Hope this will help !!!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s