Validating Request.Params[] values for cross site scripting

(1) yes
(2) just go through Request.Form and Request.QueryString individually

(3) I don't know your situation, but it all seems like overkill and
unecessary protection to me
(4)ASP.NET supports a validateRequest attribute on the @Page level or in the
web.config which does this for you

Karl
--
http://www.openmymind.net/

<oo******@yahoo.co.uk> wrote in message
news:11**********************@g47g2000cwa.googlegr oups.com...

Hello

To prevent scross site scripting I am validating each value in the
Request.Params collection against the following regular expression :

^[a-zA-Z0-9\.\-_'=+/ :]*$

This only allows the following characters :

a-Z
0-9
.
-
_
'
=
+
[space]
:

Which prevents the <, %3C or \u0022 methods of getting a malicous html
tags into the request.

My problem is that the Request.Params structure contains lots of other
values which are nothing to do with the form such as "ALL_HTTP" which
comes in as :

"HTTP_CONNECTION:Keep-Alive\r\nHTTP_ACC...etc.."

This fails my regular expression because of the slash characters so
that NO page will ever pass my validation!

I have two questions.

1) Can a malicous user edit the values in parameters such as ALL_HTTP,
which I think are http headers?

2) Is there a way to access only the form/url parameter values and not
the http headers?

thanks

I should say that validateRequest is only available in 1.1 and 2.0, not 1.0

Karl
--
http://www.openmymind.net/

"Karl Seguin [MVP]" <karl REMOVE @ REMOVE openmymind REMOVEMETOO . ANDME
net> wrote in message news:Od**************@TK2MSFTNGP09.phx.gbl...

(1) yes
(2) just go through Request.Form and Request.QueryString individually

(3) I don't know your situation, but it all seems like overkill and
unecessary protection to me
(4)ASP.NET supports a validateRequest attribute on the @Page level or in
the web.config which does this for you

Karl
--
http://www.openmymind.net/

<oo******@yahoo.co.uk> wrote in message
news:11**********************@g47g2000cwa.googlegr oups.com...

Hello

To prevent scross site scripting I am validating each value in the
Request.Params collection against the following regular expression :

^[a-zA-Z0-9\.\-_'=+/ :]*$

This only allows the following characters :

a-Z
0-9
.
-
_
'
=
+
[space]
:

Which prevents the <, %3C or \u0022 methods of getting a malicous html
tags into the request.

My problem is that the Request.Params structure contains lots of other
values which are nothing to do with the form such as "ALL_HTTP" which
comes in as :

"HTTP_CONNECTION:Keep-Alive\r\nHTTP_ACC...etc.."

This fails my regular expression because of the slash characters so
that NO page will ever pass my validation!

I have two questions.

1) Can a malicous user edit the values in parameters such as ALL_HTTP,
which I think are http headers?

2) Is there a way to access only the form/url parameter values and not
the http headers?

thanks

Thanks Karl I now go through Request.Form as well, I missed that.

It always seemed like unnecessary protection to me until one of our
customers hired an internet security company to test our pages.

Without complete validation of request parameters it is possible that
our site (which prompts for card details on one page) is succeptible to
phishing. Phishing is where hackers send emails posing as our customer
requesting card details from the user. If the email recipient clicks
the link in the email then malicious script can be inserted into our
card details page which can send the card details to a malicious web
page; eg; by a window.open call in response to onclick of the submit
button.