ASP.NET request validation with HTML encoded characters.

Question

I have a textbox in a form which needs to accept input with HTML tags.

Submitting input with HTML tags in makes the app throw a HttpRequestValidationException, unless we use HttpUtility.HtmlEncode. Easy so far.

However, the input may also contain symbols, such as the 'degrees' symbol (°). When these are also HTML encoded, they become numeric escape codes, in this example °. These codes also cause HttpRequestValidationException to be thrown, but the question is why?

I can't see why numeric escape codes are thought of as potentially dangerous, especially as ° works as input just fine.

I seem to be stuck, as leaving the input as-is fails due to the tags, and HTML encoding the input fails due to the numeric escapes. My solution so far has been to HTML encode, then regex replace the escape sequences with their HTML decoded forms, but I'm not sure if this is a safe solution, as I assume the escape sequences are seen as dangerous for a reason.

Answer 1

You can read the Script Exploits Overview in the msdn help.

If you are sure that you handle any possible malicious code input in your page then you can disable validation using the <%@ Page validateRequest="false" %> directive.

Answer 2

ASP.NET considers html char escapes (&#xxx) dangerous for the same reason it considers angled bracket dangerous i.e. XSS. Using above escape, you can include any character (for example, angled bracket). Here's summary of what request validation does in 1.1 and 2.0.

In legitimate cases such as your case, you can choose any of below

1. Choose your own handling as described by you
2. Disable request validation at page level (<%@ Page validateRequest="false")
3. In .NET 4, substitute your own request validation using RequestValidator class.