tags:

views:

382

answers:

5
+2  Q: 

Automatically sanitize entries on HttpRequestValidationException

The infamous A potentially dangerous Request.Form value was detected from the client question :)

Here's my use case: I have a FCKEditor control on a webpage, that allows users to type HTML. That precise webpage has validation turned off to allow its use, but my masterpage has linkbuttons that can raise postbacks on other pages.

I obviously don't want to turn validation off needlessly on every page of my site, but I'd want to be able to sanitize the input 'silently' (either by removing the faulty field from the request form, or by validating it).

I see that one can override OnInit or ProcessRequest on the page, but I'd like to do that on the master page if it is possible. (I'm not even sure I can recover from a HttpRequestValidationException)

Any idea on how I could do that?

Edit: I've been playing with Page_Error, which successfully catches the error but I can't find how to resume processing after I checked the request was in fact legit.

+3  A: 

Turn off validation, because it validates at the wrong stage in the process.

Input validation is inherently flawed; you actually need output validation. This means that you take in any data, but you encode it, before printing it, for the relevant context that it will be displayed. So for direct writing to a HTML page, you use HttpUtility.HtmlEncode, and other such encoding techniques depending on the context.

Noon Silk  2009-09-08 09:43:03
Unfortunately this is not really an option without rewriting the whole application :)
Luk  2009-09-08 09:53:42
Well, even still, you must then accept that you're application is not ideally secure. In this case, the same rules apply. You still turn off request validation (because it's still wrong), and validate as you receive it, and **make sure** you only use it in the correct context.
Noon Silk  2009-09-08 10:34:30
A: 

If you want to deal with the exception in a particular way and check the request during this process you may want to consider global exception handling. There is a brief article here on it:

http://www.developer.com/net/asp/article.php/961301

Hope this helps.

Richard  2009-09-08 09:50:02
Unfortunately, once I'm in Application_Error, there's no way back: the request has failed and I won't be able to recover. (Unless I am mistaken)
Luk  2009-09-08 09:55:03
+1  A: 

I think you should be able to use the global exception handling that Richard mentions, but may need to add a call to ClearError to get rid of the HttpRequestValidationException and continue with the request. Something like this might do the trick:

protected void Application_Error(object sender, EventArgs e) {
    Exception ex = Server.GetLastError().GetBaseException();
    if (ex.Message.StartsWith("A potentially dangerous Request.Form value was detected")) {
        Server.ClearError();
    }
}

It might be worth checking the Request.Url and / or the Request.UrlReferer to make sure the request originates from your FCKEditor page as well.

Hope this helps.

Ian Oxley  2009-09-08 12:27:46
I'd avoid the string comparison (assumes an English OS), and use "if (ex is HttpRequestValidationException)" instead.
devstuff  2009-09-13 22:59:18
Sounds a very good plan, but in that case the page is not processed (apparently): I end up with a blank page
Luk  2009-09-14 15:04:55
A: 

Do your link buttons need to be buttons (post) or can you turn them into actual links (get)? If you aren't passing any data back and you don't need to know which button was clicked, then I'd suggest just using the links. A get request will not carry with it any of the form data on the page so you won't get the error on the other pages. Use CSS styling on the link to get a button look if you need it.

tvanfosson  2009-09-14 11:45:54
Yes unfortunately
Luk  2009-09-14 15:52:05
A: 

Edit: I've been playing with Page_Error, which successfully catches the error but I can't find how to resume processing after I checked the request was in fact legit:

    protected void Page_Error(object sender, EventArgs e)
    {
        if (Server.GetLastError() is HttpRequestValidationException)
        {
            Server.ClearError();
            //CreateChildControls();
            base.OnPreInit(e); //yeah, ugly as hell
        }
    }

doesn't work

Luk  2009-09-14 15:51:54

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps