Reputation: 4076
Potentially dangerous input ASP.NET
.NET 4.0
VS 2012
IIS 7
I have an app that takes in email addresses on various pages, and I'm finding that users are copy/pasting directly into a few inputs and it's triggering the error mentioned in the title, here's an example.
"blah blah" <[email protected]>
Obviously the brackets are triggering the problem. I realize I can simply switch the validation to 2.0, but I would prefer not doing that, so here are my question(s).
Is there a way to have the runtime react better? When this is encountered, instead of throwing up an uber scary page it treats it as an input error and displays a message to the user (in the general case) For example, in scenario I'm speaking of, I could display an error message about < and > not being allowed in email addresses. I like the protection, but I dislike the idea that the 'oops' page is shown everytime someone enters input that's potentially dangerous.
If I were to relax the validation:
- Can I do it on a per page basis? I don't believe so, but I'm asking for completeness
- What tools does ASP.NET give me to protect myself against these types of issues manually? I really don't want to get into the game of writing stuff to look over the input for potentially dangerous things.
Upvotes: 2
Views: 430
Answers (1)
Reputation: 5395
You can relax your validation on a per page basis by putting ValidateRequest="false" in the page heading.
You can then use a regular expression to validate the email address, like this:
<asp:RegularExpressionValidator ID="RegularExpressionValidator1" runat="server"
ControlToValidate="Email" ErrorMessage="Enter a valid e-mail address"
ValidationExpression="\w+([-+.']\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*" />
For other controls you could use the regular expression "^[^<>]+$" to check for angle brackets. In reality, you don't need to worry about "potentially dangerous" user input unless you're outputting it to the client (HTML / JavaScript), or you're including it in an SQL statement.
Alternatively, you could try to write a page level error handler in your page or an application level error handler in Global.asax.
Page level error handling: http://msdn.microsoft.com/en-us/library/ed577840(v=vs.100).aspx
Application level error handling: http://msdn.microsoft.com/en-us/library/24395wz3(v=vs.100).aspx
This page gives some useful info about disabling request validation in ASP.NET: http://msdn.microsoft.com/en-us/library/hh882339(v=vs.100).aspx
Upvotes: 3
Related Questions
- Best way to Sanitize user input
- List of Input Values which will cause the "A potentially dangerous Request.Form value was detected..." error
- Potentially dangerous Form value (Asp.net attack using fault page)
- A dangerous Request.Form when value entered into a textbox
- User input sanitisation in asp.net
- code being inserted
- ASP.NET Potentially Dangerous Request
- What to do for input sanitization?
- ASP.Net - A potentially dangerous Request from submitting HTML data
- Malicious input in ASP.NET MVC