locked
ValidateInput

    Question

  • I would like to trap HttpRequestValidationException. Nothing seems to work.

     

    Assuming malicious input then:

    If you turn off validation for the page it works as designed... nothing gets trapped. If you leave it on, neither code snippet will get executed.   With validation off, the only exception that is thrown is format related. Some notes are included in the code snippets.

     

    Both ways, 1) with ValidateRequest="true" or 2) ValidateRequest="false" and the code below, will result in the ASP.NET error page.

     

    Does anybody know how to properly catch an HttpRequestValidationException?

     

    I think this needs to we configured with custom erros in ASP.NET but I would like to ask before I start down that path.

     

    Thanks

     

    --------------------------------------------------------------------

    Code Snippets:

    protected void TextBox1_TextChanged(object sender, EventArgs e)

    {

    // this event only gets here with ValidateRequest = "false"

    try

    {

    HttpRequest r = Page.Request;

    r.ValidateInput();

    // the excetion has occurred, see below but is not trapped

    }

    catch (HttpRequestValidationException ex)

    {

    // nothing gets here but webpage brings up ASP.NET error page

    // see below

    }

    try

    {

    string s = TextBox1.Text; // this control has "<script ..."

    }

    catch

    {

    // nothing gets here but webpage brings up ASP.NET error page

    // see below

    }

    }

     

    ------------------------------------------------------------

    The ASP.NET stack is:

     

    Server Error in '/' Application.

    A potentially dangerous Request.Form value was detected from the client (TextBox1="<script Test...").

    Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.

    Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (TextBox1="<script Test...").

    Source Error:

    [No relevant source lines]

    Source File: c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\6244dff5\1fa413d1\App_Web_v8fkzfz3.1.cs    Line: 0

    Stack Trace:

    [HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (TextBox1="<script Test...").]
       System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName) +3219534
       System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName) +108
       System.Web.HttpRequest.get_Form() +119
       System.Web.HttpRequest.get_HasForm() +57
       System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull) +2025185
       System.Web.UI.Page.DeterminePostBackMode() +60
       System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +6953
       System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +154
       System.Web.UI.Page.ProcessRequest() +86
       System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) +18
       System.Web.UI.Page.ProcessRequest(HttpContext context) +49
       ASP.test_aspx.ProcessRequest(HttpContext context) in c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\6244dff5\1fa413d1\App_Web_v8fkzfz3.1.cs:0
       System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +154
       System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +64
    


    Version Information: Microsoft .NET Framework Version:2.0.50727.42; ASP.NET Version:2.0.50727.210

     

    ----------------------------------------------------

     

    Browse of r.form is:

     

    'r.form' threw an exception of type 'System.Web.HttpRequestValidationException'

     

     

    Tuesday, April 24, 2007 6:13 PM

Answers