Request Validation in ASP.NET 4.5

In this post I will discuss one of the new features introduced in ASP.Net 4.5. There is a new value for requestValidationMode attribute in httpRuntime configuration setting.

<httpRuntime requestValidationMode="4.5" />

If you have worked on development of applications like forums, blog or any application that allows a user to submit text content that can contain script, HTML or any content that could be potentially harmful, you had to turn off request validation. Otherwise you would end up with exception like below.

Server Error in '/' Application.
A potentially dangerous Request.Form value was detected from the
 client (ctl00$MainContent$MessageText="<script>alert('hello..."). 

When you turn off request validation for the page or application, you lower security of the application or page. And then you have to validate the user input to ensure there is no content that could cause cross site scripting attack on your application.

To solve this problem, ASP.Net 4.5 has introduced new value of 4.5for requestValidationMode attribute. By setting this new value, you defer the validation of content till it is accesses on the server side. Lets see how this is used in your ASP.Net application. I will use the following page structure to explain this new validation mechanism. The text box on left is going to used to post content containing harmful content and text box on right is normal text box that will still cause validation when form is posted to server.

  • In web.config file set requestValidatonMode attribute value to 4.5

  • In ASP.Net a new property ValidateRequestMode has been introduced that works together with new value of requestValidationMode. Set the value of this new property to Disabled. This tells the framework to now validate content of this input section when page is posted back to server. If you do not set this value to Disabled, ASP.Net framework will still validate content of this input control.

    <asp:TextBox ID="UnvalidatedMessageText" ValidateRequestMode="Disabled" runat="server" />
  • To access content of this non validated input, ASP.Net 4.5 has introduced new property Request.Unvalidated. Unvalidated is of new .Net type System.Web.UnvalidatedRequestValues introduced in ASP.Net 4.5. This collection allows you to access all input to the page without triggering any validation. For example in our case I needed to turn off validation on left text box and access its content on server side without validation. Following code snippet shows how you will access the content of this text box on server side.

    Dim uncheckedContent As String = Request.Unvalidated.Form(UnvalidatedMessageText.UniqueID)

The above three steps are petty much what you will need to do to work with this new mode. But there are some underlying concepts that you will need to keep in mind when using this new request validation mechanism.

Must set ValidateRequestMode for server controls

This is very important part of this mechanism. When you use a ASP.Net text box and not set this new property ValidateRequestMode value to Disabled, the framework will trigger the validation exception if you try to post harmful content. The reason this happens is because when you post the page back to server, the page life cycle reconstructs the page control tree. It also creates view state for the page. It has to access the value of the text box. This automatically triggers validation of the content for that server control. This is what you have to set ValidateRequestMode property value.

Accessing Unvalidated content on server side

As I showed in code snippet above how you will access unvalidated content. There are two important things you have to watch out for when dealing with server side controls.

  • Notice that I used UniqueID property on the text box to find content in the form collection. Even though it is ASP.Net, but at the end, its a HTML form that posts back. When a server control is rendered on the client side, it constructs the ID based on how control is placed in hierarchy inside parent etc. For example the text box is accessed using ctl00$MainContent$MessageText in form.

  • When accessing unvalidated content make sure that you do not access the content directly from form. For example if you write following code, you will end up with HttpRequestValidationException exception

    A potentially dangerous Request.Form value was detected from the 
    client (ctl00$MainContent$InvalidatedMessageText="<script>alert('hello..."). 
    System.Web.HttpRequestValidationException was unhandled by user code

Before concluding I will just have one word of caution. This new mechanism makes it easy to turn off validation control by control basis. But it puts all the burden on you to secure the pages. Make sure that you properly validate content using AntiXss library.

comments powered by Disqus

Blog Tags