Hey everyone, I'm using various ASP.NET controls out of the box such as the CreateUserWizard control, Login control etc... For custom controls, I have sanitized my inputs by making sure they conform to expected values. However, is this required for the controls such as the CreateUserWizard control, or is that handled internally? Do I need to provide any extra server side validation to these controls and, if so, would it be best to do it in the "CreateUserWizardControl_CreatingUser" event? Thanks
+1
A:
If input is coming from any form, then treat it as suspect. I've included some links here that may help you:
http://www.codersbarn.com/post/2008/11/01/ASPNET-Data-Input-Validation.aspx
IrishChieftain
2010-01-09 21:03:03
Thank you, IrishChieftain. That link is great. I guess extra validation is worth the slight increase in overhead compared to a potentially costly attack. I've already created a few Regex methods in my util class, so I'll pass MembershipProvider controls through them as well.
Skoder
2010-01-09 21:32:44
Most people don't consider anything other than forms - there are so many ways a hacker can get in. Keep an eye on CAT.NET :-)
IrishChieftain
2010-01-10 00:21:22
A:
If you have request validation enabled then form data with script tags will generate an error automatically.
Josh
2010-01-09 21:19:44
The <script> was just an example. I'm still reading up on security, so there are no doubt other bits of code that could be injected, yet look valid.
Skoder
2010-01-09 21:31:13