Home
ASP.NET Forums » Microsoft Downloads » Anti-Cross Site Scripting Library » ValidateRequest=True vs. AntiXSSLibrary

ValidateRequest=True vs. AntiXSSLibrary

Last post 11-08-2007 10:18 AM by kanakaiah.etipakam. 2 replies.

Sort Posts:

  • ValidateRequest=True vs. AntiXSSLibrary

    11-08-2007, 9:13 AM
    • Loading...
    • brianedow
    • Joined on 02-03-2006, 1:50 PM
    • Posts 12

    Could someone tell me what would be the benefit of use the AntiXSSLibrary vs. use the built-in page validation in 2.0?  I could see a few, but I would like to hear what others have to say about.  Thanks to all in advance. 

    Filed under: ,

  • Re: ValidateRequest=True vs. AntiXSSLibrary

    11-08-2007, 9:57 AM
    • Loading...
    • Joël Hébert
    • Joined on 07-20-2005, 6:07 PM
    • Ottawa Canada
    • Posts 614

    antixsslibrary is a dll you add in the bin, it has libraries to cleanse input code since things like server.html encode are not enough to keep good hackers at bay....the validate request is to see if there is potential for injections (among other things).

     

    you could say one cleanses and the other detects

     

    -> http://www.asp.net/learn/whitepapers/request-validation/

    Joël Hébert

    ASP.NET Consultant
    Opulent ASP Development Inc.
    www.opulentasp.com
    Ottawa,Canada

    Click "Mark as Answer" on the posts that helped you to help future readers to get the solutions

  • Re: ValidateRequest=True vs. AntiXSSLibrary

    11-08-2007, 10:18 AM

    The following server error will occur when some one enters scripts into web controls(like TextBox..so on) ,this will happen because asp.net page validates the user input only for some web controls by setting ValidateRequest="true" bydefault.

    Thanks for ASP.Net engine for doing validations on behalf of us,but the problem is , it  doesn't mitigate 100%,

    thats why microsoft has given us AntiXSSLibrary

    in order to encode the scripts which prevents us from hackers who executes scripts on our site to steal cookie.

    for example:(how to use and download library...follows...)

    using Microsoft.Security.Application;

    string pageTitle = AntiXss.HtmlEncode(Request.QueryString["Page"]);

    Remember: Always HtmlEncode untrusted text.

    Download it from

    http://www.microsoft.com/downloads/details.aspx?FamilyID=efb9c819-53ff-4f82-bfaf-e11625130c25&DisplayLang=en


     

     

    Server Error in '/WebSite1' Application.

    A potentially dangerous Request.Form value was detected from the client (ctl02="<script>alert("hai")...").

    Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.

    Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (ctl02="<script>alert("hai")...").

    Source Error: 

    [No relevant source lines]

    Source File: c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\website1\17df5294\deb8e8cd\App_Web_o5gv983d.0.cs    Line: 0

    Stack Trace: 

    [HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (ctl02="<script>alert("hai")...").]
       System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName) +3255566
       System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName) +108
       System.Web.HttpRequest.get_Form() +119
       System.Web.HttpRequest.get_HasForm() +3257494
       System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull) +45
       System.Web.UI.Page.DeterminePostBackMode() +65
       System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +7139
       System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +213
       System.Web.UI.Page.ProcessRequest() +86
       System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) +18
       System.Web.UI.Page.ProcessRequest(HttpContext context) +49
       ASP.xss_error_default_aspx.ProcessRequest(HttpContext context) in c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\website1\17df5294\deb8e8cd\App_Web_o5gv983d.0.cs:0
       System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +362
       System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +64

    Version Information: Microsoft .NET Framework Version:2.0.50727.1378; ASP.NET Version:2.0.50727.1378

     ValidateRequest=True vs. AntiXSSLibrary

     

    Thanks and Regards,
    Kanakaiah etipakam(RAJA)

    --------------------------------------------------
    For God so loved the world that he gave his one and only Son (JESUS), that whoever believes in him shall not perish but have eternal life. john 3:16
Page 1 of 1 (3 items)
RSS Available

Advertise on ASP.NET

About this Site

Microsoft Communities
Page view counter