ValidateRequest =False is to prevent a common coding error. take the common
welcome message
John, welcome to my site
if implement as
<%= UserName %>, welcome to my site
you page is open to a scripting hack. the user when they enter their name
can input <script>....</script>. the fix is when output a user input data as
html is to encode it when rendered.
<%= HttpUtility.Htm lEncode(UserNam e) %>, welcome to my site
is complely safe. this is more of a problem when user enter data that is
displayed on other peoples pages, then the script can do more damage.
note: as any user can run arbitrary javascript on your page thru the
address bar, you should design your page to not trust postback values
(especially hidden fields)
-- bruce (sqlwork.com)
"AFN" <DE************ ************@ya hoo.com> wrote in message
news:F5******** ********@twiste r.socal.rr.com. ..
I have a form with 15 fields. I want users to be able to enter "<" and
">" characters into 1 of those fields without IIS catching it and disallowing
the whole page. I did some reading and I *think* that means I MUST set
ValidateRequest =False. So, two questions:
1) Do I have to then pass the results of every one of those 15 fields into
HtmlEncode? like strAfter = HtmlEncode(txtF ield1.text)? That's annoying
when I only want to allow 1 field to have the "<" ">" values.
2) What does the < character turn into when you do HtmlEncode? Generally.
I don't want it to turn into something like %20. If that is what it
does, then what other function can I use to test that my input is safe but still
keep it as < or >?