What's the most useful ValidationExpression used in your RegularExpressionValidator controls? What should be used on every text input?

Question

While working on a huge form for a client I realized that the majority of the regex validators I had were for the same regex:

^[^<>]*$

It's an easy way to prevent HTML entry into of TextBox controls.

I was curious if anyone else had a regex that they used more often or if there's one that I should be using instead of this one.

Answer 1

I think this approach is a little extreme. ASP.NET has validateRequest on by default in Machine.config:

<system.web>
  <pages buffer="true" validateRequest="true" />
</system.web>

Of course you can always set this yourself for the web app and it can be set at the page level as well:

<%@ Page Language="C#" ValidateRequest="true" %>

This prevents potentially harmful tags from being entered. For more details check out:

• Request Validation - Preventing Script Attacks
• How To: Prevent Cross-Site Scripting in ASP.NET (check out steps 1 and 4, although it's all a beneficial read). HTML encoding is covered as well.

That's not to say that you shouldn't verify input, but I don't think it's appropriate to slap a regex validator on every single textbox control.

EDIT: if you're interested, it's possible to handle the ValidateRequest error to provide a friendlier message and keep the user on the same page (not just replace it with a custom error page). For more info, check out Kirk Evans' post: Handling ValidateRequest errors within a Page (refer to the section titled Overriding the OnError Method).