DevWebProSE
DevWebProSE Newsletter:
Last Updated:


Get Your Site Submitted for Free in the World's Largest B2B Directory!

Email Address:
* URL:
*
*Indicates Mandatory Field

Terms & Conditions


ASP.NET: Re-enable Request Validation

By Mads Kristensen
Expert Author
Article Date: 2007-10-15

Request validation is enabled by default in ASP.NET and it basically stops people from submitting a form with HTML in any of the input fields.

It's a little more sophisticated than that, but basically it just looks for HTML tags and if it finds any, it throws an exception and the form is prevented from being posted.

However, you often want people to be able to write HTML tags in your forms. That's why most people turn it off either globally in web.config or on the individual pages hosting a form and then just HTML encodes the values. I've done it reluctantly myself many times, but there is a smarter way to allow HTML input without turning request validation off.

What if we could just HTML encode all input fields just before the form is submitted? That way we could benefit from request validation and the security it offers out of the box. By having request validation enabled, you also make it impossible for spambots to post links in your form.

The easiest way of doing this is to create a custom server control that inherits from System.Web.UI.WebControls.TextBox and add a little JavaScript magic. I've written a SafeTextBox class that HTML encodes its value client-side and then HTML decodes the value again server-side. That way it can be treated just like a normal TextBox.

public class SafeTextBox : System.Web.UI.WebControls.TextBox
{
  protected override void OnLoad(System.EventArgs e)
  {
   base.OnLoad(e);
   if (!Page.ClientScript.IsClientScriptBlockRegistered(Page.GetType(), "TextBoxEncode"))
   {
    System.Text.StringBuilder sb = new System.Text.StringBuilder();
    sb.Append("function TextBoxEncode(id)");
    sb.Append("{");
    sb.Append("var tb = document.getElementById(id);");
   sb.Append("tb.value = tb.value.replace(new RegExp('<', 'g'), '<');");
    sb.Append("tb.value = tb.value.replace(new RegExp('>', 'g'), '>');");
    sb.Append("}");
   Page.ClientScript.RegisterClientScriptBlock(Page.GetType(), "TextBoxEncode", sb.ToString(), true);
   }

   // Adds the function call after the form validation is called.
   if (!Page.IsPostBack)
    Page.Form.Attributes["onsubmit"] += "TextBoxEncode('" + ClientID + "');";
   }

   public override string Text
   {
    get { return base.Text; }
    set
   {
    if (!string.IsNullOrEmpty(value))
     base.Text = value.Replace("<", "<").Replace(">", ">");
    else
     base.Text = value;
    }
   }
}

The way the SafeTextBox HTML encodes/decodes is not very sophisticated but it works. You can add your own logic to the encoding/decoding if you feel the need.

To roll this out on your own website, just dump the SafeTextBox class in the App_Code folder and hook it up using tag mapping.

Comments
About the Author:
Mads Kristensen currently works as a Senior Developer at Traceworks located in Copenhagen, Denmark. Mads graduated from Copenhagen Technical Academy with a multimedia degree in 2003, but has been a professional developer since 2000. His main focus is on ASP.NET but is responsible for Winforms, Windows- and web services in his daily work as well. A true .NET developer with great passion for the simple solution.

http://www.madskristensen.dk/

Newsletter Archive | Article Archive | Submit Article | Advertising Information | About Us | Contact | Site Map

DevWebProSE is an iEntry, Inc.® publication - 1998-2008 All Rights Reserved Privacy Policy and Legal