(1) yes
(2) just go through Request.Form and Request.QueryString individually
(3) I don't know your situation, but it all seems like overkill and
unecessary protection to me
(4)ASP.NET supports a validateRequest attribute on the @Page level or in the
web.config which does this for you
Karl
--
http://www.openmymind.net/
<oo******@yahoo.co.uk> wrote in message
news:11**********************@g47g2000cwa.googlegr oups.com...
Hello
To prevent scross site scripting I am validating each value in the
Request.Params collection against the following regular expression :
^[a-zA-Z0-9\.\-_'=+/ :]*$
This only allows the following characters :
a-Z
0-9
.
-
_
'
=
+
[space]
:
Which prevents the <, %3C or \u0022 methods of getting a malicous html
tags into the request.
My problem is that the Request.Params structure contains lots of other
values which are nothing to do with the form such as "ALL_HTTP" which
comes in as :
"HTTP_CONNECTION:Keep-Alive\r\nHTTP_ACC...etc.."
This fails my regular expression because of the slash characters so
that NO page will ever pass my validation!
I have two questions.
1) Can a malicous user edit the values in parameters such as ALL_HTTP,
which I think are http headers?
2) Is there a way to access only the form/url parameter values and not
the http headers?
thanks