tags:

views:

667

answers:

2
+1  Q: 

Is it necessary to HtmlEncode Textbox values if ASP .Net Request Validation is enabled?

If ASP.NET Request Validation is enabled for a site, do you still need to HtmlEncode and HtmlDecode string information to and from simple forms (e.g. ASP Textboxes)?

+2  A: 

There's no danger from text in ASP.NET text boxes, whether Request Validation is on or off. The text box control automatically encodes data when displayed in the text box.

When outputting data that originated from the user in other places, it is important to HTML (or JavaScript) encode that data. ASP.NET's Request Validation provides only a minimum level of protection. It is not impenetrable, or even close to it. It is only designed to protect against the most simple attacks.

You still have to encode things as you output them on other parts of your site.

Edit
What I mean by other places, is that if the user enters the data into a text box, using the ASP.NET Text Box control is safe because the control automatically encodes the output so it will render safely.

Say, for example, you're working with StackOverflow's user info page. When a user chooses their username they could choose to input something that may be malicious when output in another part of your site. For example my StackOverflow login name is displayed at the top of every page for me, and is also listed on the "Users" page.

On the Users page, AJAX is used to load users. When JavaScript goes to evaluate the user name, it is not bound by the same encoding rules as HTML tags, so I could type something into the user name text box that could cause some breaking behavior when it is output in the User list.

StackOverflow obviously encodes user data correctly when sent to the client, so they're safe. Before sending my user name off to the client, they (presumably) have some JavaScript encoding routine that makes sure that my user name can't become malicious when executed in JavaScript code.

You could also have problems if using it in a non-ASP.NET input control. Input tags use attributes to define content, so you can easily enter text that would get past the Request Validation check but could allow the user to add a malicious "mouseover" attribute.

Dan Herbert  2009-10-02 17:51:08
What do you mean by <em>other</em> places? Buttons, options, links?
Steve  2009-10-02 18:10:57
+4  A: 

If ASP.NET Request Validation is enabled for a site, do you still need to HtmlEncode

ASP.NET Request Validation is a hack to try to work around stupid authors' broken programs. Don't write broken programs.

Any text string you write into an HTML page must be HTML-encoded; this is a matter of correctness, not just security (which is a subset of correctness). Even if Request Validation could magically remove any possible XSS attack (and that is so nothing like the case), failing to HtmlEncode text output would still leave you open to producing malformed output, mangling your data. Say I was making a forum post talking about some variables a, b and c and wanted to say:

a<b b>c b>a

If that was echoed to the HTML source unencoded, I'd get:

ac b>a

and maybe the rest of the page would be bold too. Whoops!

Request Validation is bogus and shouldn't be relied upon. Being on by default and “recommended for all production environments” is sad and makes me seriously doubt the sanity of the ASP.NET team.

If you have written your program correctly, you don't need it and it will just get in your way. (For example, if SO used it, I wouldn't be able to make this post that mentions the <script> tag.) If you haven't written your program correctly, Request Validation isn't going to fix your security holes, it's just going to make them a bit more obscure.

and HtmlDecode string information

You don't usually HtmlDecode anything in a web app. You encode to push content out into HTML, but when content comes back in from a submitted form it is as plain text, not HTML-encoded.

to and from simple forms (e.g. ASP Textboxes)?

Textboxes should be fine; setting their .Text does do any necessary encoding, making the exact string you had appear in the textbox. But. Some things that look like they should be HTML-encoding automatically actually don't. For example:

myTextBox.Text= "a<b b>c"; // Fine!
myLabel.Text= "a<b b>c"; // Broken!

Oh dear. Text does not always mean Text. Sometimes, it actually means HTML. Thank you Microsoft, way to muddy the waters of a topic too many people already find hard to understand.

bobince  2009-10-02 18:13:57

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps