Sep 14, 2010, 11:56 AM
[CLOSED] Question about request validation
Hello,
I have question about request validation:
In my login form I have login button with following code:
"
A potentially dangerous Request.Form value was detected from the client
Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the <pages> configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.
"
My question is:
1) Does exist other way for checking xss validation on client side or is only solution to disable request validation on login page and
write custom validation inside server side code?
Please, provide some example if you have.
Best regards,
Sasa
I have question about request validation:
In my login form I have login button with following code:
<ext:Button ID="Button1" runat="server" Text="Login" Icon="Accept" Type="Submit">
<DirectEvents>
<Click
OnEvent="CheckLogin_Click"
Before="var valid=#{txtUsername}.isValid(); if(valid){valid=#{txtPassword}.isValid();} if (!valid) {#{Label1}.setIconClass('ierror'); #{Label1}.setText('User name or password are missing!');} return valid;"
Failure="#{Label1}.setIconClass('ierror'); #{Label1}.setText(result.errorMessage); return false;">
<EventMask ShowMask="true" Msg="Checking..." MinDelay="250" />
</Click>
</DirectEvents>
</ext:Button>
Inside "CheckLogin_Click" event in codebehind I use following code for reading input fields
string uid = HttpUtility.HtmlEncode(txtUsername.Text.Trim());
string pwd = HttpUtility.HtmlEncode(txtPassword.Text.Trim());
When I write some xss code like "<script" in input fields I get following message on page:"
A potentially dangerous Request.Form value was detected from the client
Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the <pages> configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.
"
My question is:
1) Does exist other way for checking xss validation on client side or is only solution to disable request validation on login page and
write custom validation inside server side code?
Please, provide some example if you have.
Best regards,
Sasa
Last edited by Daniil; Sep 16, 2010 at 11:13 AM.
Reason: [CLOSED]