|
| Web News |
DT selects Ericsson to deploy VDSL2 in 12 German cities
German telco Deutsche Telekom has selected Ericsson to deploy its VDSL2 technology in 12 German cities. The companies say that the VDSL2 platform will provide...
Online Advertisement Market Grows By 68 Percent...
According to a report recently published by BITKOM and Thomson Media Control online advertisement in Germany is growing fast and 800 million Euro could be spent in this year. 627 million Euro have been...
Belgian credit cards hacked in Germany
Two hundred Belgians have been asked to cancel their credit cards after their credit card details were stolen via Kartenhaus, a German online seller of event tickets. The hackers stole the credit card details from 66,000...
Deutsche Telekom eyes more acquisitions
Deutsche Telekom, which recently bought Orange Netherlands and U.S wireless operator SunCom, is on the lookout for more acquisitions, its chief financial officer told a German newspaper. "If another...
Broadcom to reveal impulse noise protection...
Broadcom Corporation will demonstrate its impulse noise protection technology at next week's Broadband World Forum in Berlin, Germany. The recently announced Broadcom PhyR firmware enables service providers...
|
|
10.18.07
ASP.NET: Re-enable Request Validation
 By Mads Kristensen
Request validation is enabled by default in ASP.NET and it basically stops people from submitting a form with HTML in any of the input fields.
It's a little more sophisticated than that, but basically it just looks for HTML tags and if it finds any, it throws an exception and the form is prevented from being posted.
However, you often want people to be able to write HTML tags in your forms. That's why most people turn it off either globally in web.config or on the individual pages hosting a form and then just HTML encodes the values. I've done it reluctantly myself many times, but there is a smarter way to allow HTML input without turning request validation off.
What if we could just HTML encode all input fields just before the form is submitted? That way we could benefit from request validation and the security it offers out of the box. By having request validation enabled, you also make it impossible for spambots to post links in your form.
The easiest way of doing this is to create a custom server control that inherits from System.Web.UI.WebControls.TextBox and add a little JavaScript magic. I've written a SafeTextBox class that HTML encodes its value client-side and then HTML decodes the value again server-side. That way it can be treated just like a normal TextBox.
The way the SafeTextBox HTML encodes/decodes is not very sophisticated but it works. You can add your own logic to the encoding/decoding if you feel the need.
To roll this out on your own website, just dump the SafeTextBox class in the App_Code folder and hook it up using tag mapping.
Comments
About the Author:
Mads Kristensen currently works as a Senior Developer at Traceworks located
in Copenhagen, Denmark. Mads graduated from Copenhagen Technical Academy with a multimedia degree in
2003, but has been a professional developer since 2000. His main focus is on ASP.NET but is responsible for Winforms, Windows- and
web services in his daily work as well. A true .NET developer with great passion for the simple solution.
http://www.madskristensen.dk/
|
