lekso
Reputation: 1813
Why does ASP.NET dangerous request validation work this way?
Can anyone point me in the right direction with the following question.
The default "Dangerous Request" validation in ASP.NET prohibits inputs like
"<p", "<p>" or "<script>"
but at the same time allows inputs like
"<%script>" or "<.script>"
What is the rational here?
Upvotes: 0
Views: 53
Answers (1)
Richard
Reputation: 109180
<p,<p>or<script>
These look like HTML/XML tags.
<%script>or<.script>
but these do not.
And the validation is trying to stop cross site scripting, eg. submitting a field containing:
<script>alert("You're powned!")</script>
(except truly malicious) and when you just write that text back to the user without being careful to encode correctly the user has just injected code into your website.
Upvotes: 2
Related Questions
- Why potentially dangerous request error even ValidateRequest = false
- ASP.NET request validation causes: is there a list?
- A potentially dangerous Request.Form value was detected from the client
- What are the security implications of using ValidateRequest="false" to circumvent "A potentially dangerous Request.Form value was detected"?
- Dangerous Request.Form value was detected from the client - why?
- Request Validation - how and why is it disabled in SiteCore?
- ASP.NET: A potentially dangerous Request.Form value was detected from the client
- Problem with Request Validation
- A potentially dangerous Request.Form value was detected, but ValidateInput is false
- Asp.Net Validaterequest False