Hi,
Do sites like Stackoverflow or asp.net use validateRequest= "false" at their page directive? If "Yes" then how they are checking the user input and if "NO" then how they are able to postback the data ?
A:
The main things Validate Request is looking for are < and > characters, to stop you opening your site up to malicious users posting script and or HTML to your site.
Answer to the second question When ValidateRequst="false"
When request validation is disabled, content can be submitted to a page; it is the responsibility of the page developer to ensure that content is properly encoded or processed
For the encoding data : Content can be easily HTML-encoded on the server using the Server.HtmlEncode(string) API. Content can also be easily HTML-decoded, that is, reverted back to standard HTML using the Server.HtmlDecode(string) method.
Pranay Rana
2010-08-12 06:42:37
Thanks for your reply but this is not the complete answer, I just want to know that how these sites are dealing with the malicious inputs, just in case if they make ValidateRequest = false? I mean how they are verifying the input at the server side if they disablle validate request.
Zerotoinfinite
2010-08-12 06:51:22
read the article link -- by the way by encoding data they avoid script attach -- go to article which give you more info : http://www.asp.net/learn/whitepapers/request-validation/
Pranay Rana
2010-08-12 06:53:29
So does it mean that doing Encoding at server side called as the validation of malicious input at server side ??
Zerotoinfinite
2010-08-12 06:58:11
yes that only thing you can do if validaterequest is set to false
Pranay Rana
2010-08-12 07:00:28