Wednesday, February 18, 2009

Responses to ValidateRequest="false" ?

I'm having to set ValidateRequest="false" on one of my pages because users need to enter a value that contains an html tag (well think it is anyway). I understand why the "potentially dangerous request.form detected" error and why it is being thrown, but my question is:

What could a malicious user possibly do to my application by putting HTML fields within a form field? Is there a vulnerability I should know about in, or would bad coding on my part really only be the thing I need to worry about if ValidateRequest="false".

The main issue is Cross Site Scripting. If your site takes input from the
user and then displays it back to the user without first validating it, you
could potentially allow a bad guy to use your site to which is trusted by
your users to steal their cookies or other data.

The built-in request validation stuff in 1.1 tries to keep you from shooting
yourself in the foot by not allowing you to accidentally do this. If you
are careful, it is safe to turn the behavior off, but you need to make sure
you thoroughly validate all input before returning it back to the browser.
Add validateRequest="false" to your Page directive, eg.:

<%@ Page validateRequest="false" %>

you can add the following to the system.web section of your web.config:

< pages validateRequest="false" />

1 comment:

Chani said...

If you lead the request open to it then many other things are at ris. People can bolden things and inject italics.