By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
440,333 Members | 1,850 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 440,333 IT Pros & Developers. It's quick & easy.

Custom handler for HttpRequest validation

P: n/a
Rob
I am developing an intranet application, that has to pass interanl security
audit. The framework version that I am using is .Net framework version 1.1.
Some combinations of text entered in any text box , involving for example a
"less than" character followed by any alpha character, trigger an exception
(HttpRequestValidationException). So, the framework detects a potential
script injector, triggers an exception and user gets an application error.
My problem is that most data entry controls have their own validators, that
should detect this type of conditions and print appropriate format
validation error in the validator summary control, before presenting the
user with an error screen.
Setting validateRequest to false is not an option, because of the security
requirements. Also, using HTTPEncode /Decode for all the fields is a bad
option too, due to large amount of work being put already into the
application. My best bet, is to write a custom handler that will leave the
controls that have its own validators to these validators and use http
encoding for the few remaining free form fields. Are there any hooks in the
framework that allow to accomplish that?

Nov 18 '05 #1
Share this Question
Share on Google+
2 Replies


P: n/a
You could write something called an iHTTPHandler that checks the values of
fields and denies access if any values in the forms collection contain
banned chars. This approach means you dont interfere at all with the actual
page contents as it runs at application level and would affect every page
without any validators being added.

Of course you'll have to performance check the handler to assess its impact
on your app.

--
Regards

John Timney
Microsoft Regional Director
Microsoft MVP
"Rob" <ro******@excite.com> wrote in message
news:Os**************@TK2MSFTNGP09.phx.gbl...
I am developing an intranet application, that has to pass interanl security audit. The framework version that I am using is .Net framework version 1.1. Some combinations of text entered in any text box , involving for example a "less than" character followed by any alpha character, trigger an exception (HttpRequestValidationException). So, the framework detects a potential
script injector, triggers an exception and user gets an application error.
My problem is that most data entry controls have their own validators, that should detect this type of conditions and print appropriate format
validation error in the validator summary control, before presenting the
user with an error screen.
Setting validateRequest to false is not an option, because of the security
requirements. Also, using HTTPEncode /Decode for all the fields is a bad
option too, due to large amount of work being put already into the
application. My best bet, is to write a custom handler that will leave the
controls that have its own validators to these validators and use http
encoding for the few remaining free form fields. Are there any hooks in the framework that allow to accomplish that?


Nov 18 '05 #2

P: n/a
Rob
John,

Thanks for your suggestion. It looks like this is the only way to go, so I
will be coding the handler this week. I am not worried too much about the
performance impact, the app runs NLB environment, so if we have any
problems, we will add a new server (or two).


"John Timney (Microsoft MVP)" <ti*****@despammed.com> wrote in message
news:uK*************@TK2MSFTNGP11.phx.gbl...
You could write something called an iHTTPHandler that checks the values of
fields and denies access if any values in the forms collection contain
banned chars. This approach means you dont interfere at all with the actual page contents as it runs at application level and would affect every page
without any validators being added.

Of course you'll have to performance check the handler to assess its impact on your app.

--
Regards

John Timney
Microsoft Regional Director
Microsoft MVP
"Rob" <ro******@excite.com> wrote in message
news:Os**************@TK2MSFTNGP09.phx.gbl...
I am developing an intranet application, that has to pass interanl security
audit. The framework version that I am using is .Net framework version

1.1.
Some combinations of text entered in any text box , involving for example a
"less than" character followed by any alpha character, trigger an

exception
(HttpRequestValidationException). So, the framework detects a potential
script injector, triggers an exception and user gets an application

error. My problem is that most data entry controls have their own validators,

that
should detect this type of conditions and print appropriate format
validation error in the validator summary control, before presenting the
user with an error screen.
Setting validateRequest to false is not an option, because of the security requirements. Also, using HTTPEncode /Decode for all the fields is a bad
option too, due to large amount of work being put already into the
application. My best bet, is to write a custom handler that will leave the controls that have its own validators to these validators and use http
encoding for the few remaining free form fields. Are there any hooks in

the
framework that allow to accomplish that?



Nov 18 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.