disabling ValidateRequest for one textbox

Microsoft has not built a field-by-field capability into ValidateRequest. In
fact, their code for validation is not "public" (its an internal class). So
its simply not available.

I built a far more aggressive system to protect against Cross Site Scripting
and SQL Injection attacks that you may want to investigate. "Visual Input
Security" (http://www.peterblum.com/vise/home.aspx) provides validators that
can be assigned to individual controls and detect script attacks.

An example of being more aggressive: It lets you define a list of HTML tags
that you want to permit on a field and will still block those tags when
illegal javascript is also embedded in them.

--- Peter Blum
www.PeterBlum.com
Email: PL****@PeterBlum.com
Creator of "Professional Validation And More" at
http://www.peterblum.com/vam/home.aspx

"Andy Fish" <aj****@blueyonder.co.uk> wrote in message
news:Oo**************@tk2msftngp13.phx.gbl...

Hi,

I have one textbox on the form that needs to have ValidateRequest
disabled, but it seems that it can only be enabled/disabled at a page
level.

assuming I have to disable it at for the whole page, how can I invoke
ValidateRequest functionality for the other text boxes individually? I was
looking for some kind of method on I can call that says "validate this
control as if ValidateRequest were true" or a function "would this string
pass ValidateRequest"

TIA

Andy

Thanks peter, I can't blame you for advertising your toolkit which I'm sure
is excellent, but I found a simple way to invoke the microsoft request
validation: details below for anyone who has the same problem.

download Lutz Roeder's reflector and decompile the class
System.Web.CrossSiteScriptingValidation, then past the code into your own
class. Then you can call IsDangerousString on any text field you want to
validate. I was going to post the source here but that might mean some
people would miss out on using this fantastic tool.

Some caveats for anyone who wants to do it this way:

1. you must remove null characters from the string before calling the
validation, otherwise you could fall foul of a known IE vulnerability (see
the source for HttpRequest.ValidateString).

2. if a new version of the framework comes out with improvements to the
validation, you'll need to recreate your class

3. decompiling and reusing the source might contravene your licence
agreement for using the framework (IANAL)

Andy

"Peter Blum" <PL****@Blum.info> wrote in message
news:%2****************@TK2MSFTNGP14.phx.gbl...

Microsoft has not built a field-by-field capability into ValidateRequest.
In fact, their code for validation is not "public" (its an internal
class). So its simply not available.

I built a far more aggressive system to protect against Cross Site
Scripting and SQL Injection attacks that you may want to investigate.
"Visual Input Security" (http://www.peterblum.com/vise/home.aspx) provides
validators that can be assigned to individual controls and detect script
attacks.

An example of being more aggressive: It lets you define a list of HTML
tags that you want to permit on a field and will still block those tags
when illegal javascript is also embedded in them.

--- Peter Blum
www.PeterBlum.com
Email: PL****@PeterBlum.com
Creator of "Professional Validation And More" at
http://www.peterblum.com/vam/home.aspx

"Andy Fish" <aj****@blueyonder.co.uk> wrote in message
news:Oo**************@tk2msftngp13.phx.gbl...

Hi,

I have one textbox on the form that needs to have ValidateRequest
disabled, but it seems that it can only be enabled/disabled at a page
level.

assuming I have to disable it at for the whole page, how can I invoke
ValidateRequest functionality for the other text boxes individually? I
was looking for some kind of method on I can call that says "validate
this control as if ValidateRequest were true" or a function "would this
string pass ValidateRequest"

TIA

Andy