I am developing an intranet application, that has to pass interanl security
audit. The framework version that I am using is .Net framework version 1.1.
Some combinations of text entered in any text box , involving for example a
"less than" character followed by any alpha character, trigger an exception
(HttpRequestValidationException). So, the framework detects a potential
script injector, triggers an exception and user gets an application error.
My problem is that most data entry controls have their own validators, that
should detect this type of conditions and print appropriate format
validation error in the validator summary control, before presenting the
user with an error screen.
Setting validateRequest to false is not an option, because of the security
requirements. Also, using HTTPEncode /Decode for all the fields is a bad
option too, due to large amount of work being put already into the
application. My best bet, is to write a custom handler that will leave the
controls that have its own validators to these validators and use http
encoding for the few remaining free form fields. Are there any hooks in the
framework that allow to accomplish that?
2  1766 
You could write something called an iHTTPHandler that checks the values of
fields and denies access if any values in the forms collection contain
banned chars. This approach means you dont interfere at all with the actual
page contents as it runs at application level and would affect every page
without any validators being added.
Of course you'll have to performance check the handler to assess its impact
on your app.
--
Regards
John Timney
Microsoft Regional Director
Microsoft MVP
"Rob" <ro******@excite.com> wrote in message
news:Os**************@TK2MSFTNGP09.phx.gbl... I am developing an intranet application, that has to pass interanl
security audit. The framework version that I am using is .Net framework version
1.1. Some combinations of text entered in any text box , involving for example
a "less than" character followed by any alpha character, trigger an
exception (HttpRequestValidationException). So, the framework detects a potential
script injector, triggers an exception and user gets an application error.
My problem is that most data entry controls have their own validators,
that should detect this type of conditions and print appropriate format
validation error in the validator summary control, before presenting the
user with an error screen.
Setting validateRequest to false is not an option, because of the security
requirements. Also, using HTTPEncode /Decode for all the fields is a bad
option too, due to large amount of work being put already into the
application. My best bet, is to write a custom handler that will leave the
controls that have its own validators to these validators and use http
encoding for the few remaining free form fields. Are there any hooks in
the framework that allow to accomplish that?
John,
Thanks for your suggestion. It looks like this is the only way to go, so I
will be coding the handler this week. I am not worried too much about the
performance impact, the app runs NLB environment, so if we have any
problems, we will add a new server (or two).
"John Timney (Microsoft MVP)" <ti*****@despammed.com> wrote in message
news:uK*************@TK2MSFTNGP11.phx.gbl... You could write something called an iHTTPHandler that checks the values of
fields and denies access if any values in the forms collection contain
banned chars. This approach means you dont interfere at all with the
actual page contents as it runs at application level and would affect every page
without any validators being added.
Of course you'll have to performance check the handler to assess its
impact on your app.
--
Regards
John Timney
Microsoft Regional Director
Microsoft MVP
"Rob" <ro******@excite.com> wrote in message
news:Os**************@TK2MSFTNGP09.phx.gbl... I am developing an intranet application, that has to pass interanl security audit. The framework version that I am using is .Net framework version
1.1. Some combinations of text entered in any text box , involving for
example a "less than" character followed by any alpha character, trigger an
exception (HttpRequestValidationException). So, the framework detects a potential
script injector, triggers an exception and user gets an application
error. My problem is that most data entry controls have their own validators,
that should detect this type of conditions and print appropriate format
validation error in the validator summary control, before presenting the
user with an error screen.
Setting validateRequest to false is not an option, because of the
security requirements. Also, using HTTPEncode /Decode for all the fields is a bad
option too, due to large amount of work being put already into the
application. My best bet, is to write a custom handler that will leave
the controls that have its own validators to these validators and use http
encoding for the few remaining free form fields. Are there any hooks in
the framework that allow to accomplish that?
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Zoe Hart |
last post by:
I know that I can use a control's Attributes collection to specify
client-side event handlers. I want to add a simple javascript function to
pop up a confirmation message for a command button. The...
|
by: Michael Iantosca |
last post by:
I have a custom attribute that I attach to certain pages in my application and I want to inspect each page request as it is made to see if the custom attribute is attached to the underlying page...
|
by: Steve Franks |
last post by:
Is there a way I can extend the HttpContext or one of its subclasses to
include a property that exposes a custom class of mine to all ASP.NET pages?
More specifically, I'd like to use a...
|
by: Andy |
last post by:
Hi folks,
I have a customvalidator control that works properly if it isn't
contained in an ASP:TABLE. But, when I place it inside an ASP:TABLE, I
find that _ServerValidate doesn't get fired,...
|
by: Tarscher |
last post by:
Hi all,
I have a custom validation on server side (I disabled client side).
The validation is inside a user control but doesn't seem to work. For
simplifying things I took out almost all code of...
|
by: Radu |
last post by:
Hi. I have an ASP control on my page:
<asp:Calendar
ID="calStart"
................ Etc
</asp:Calendar>
and I have a Custom Validator defined as
<asp:CustomValidator
|
by: Daniel Loose |
last post by:
hi dear folks,
i'm new to ajax. simple request no problem - but it seems when I set
the response handler function, I can only pass the function name and
not give parameters, so I have a problem...
|
by: hyperpau |
last post by:
Before anything else, I am not a very technical expert when it comes to VBA coding.
I learned most of what I know by the excellent Access/VBA forum from bytes.com (formerly thescripts.com).
Ergo, I...
|
by: hyperpau |
last post by:
Before anything else, I am not a very technical expert when it comes to VBA coding.
I learned most of what I know by the excellent Access/VBA forum from bytes.com (formerly thescripts.com).
Ergo, I...
|
by: CloudSolutions |
last post by:
Introduction:
For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
|
by: Faith0G |
last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
|
by: ryjfgjl |
last post by:
In our work, we often need to import Excel data into databases (such as MySQL, SQL Server, Oracle) for data analysis and processing. Usually, we use database tools like Navicat or the Excel import...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: aa123db |
last post by:
Variable and constants
Use var or let for variables and const fror constants.
Var foo ='bar';
Let foo ='bar';const baz ='bar';
Functions
function $name$ ($parameters$) {
}
...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
| |
