The ValidateRequest property and security in ASP.net

I don't know if you've noticed this attribute before, so let's talk about how this property works and how we're going to use it in the future!

Let's take a look at this property first: (Note: This property is new in. NET 2.0!)

1. The namespace in which it resides: System.Web.Configuration

2. Assembly: system.web (in System.Web.dll)

3. The class: Pagessection

I've got a general idea of this property, the following is a specific analysis of this property, which is used to verify the input of the client user, to verify the user's input is dangerous characters, the default value of this property is true, Microsoft is doing this to improve the security of the ASP.net program, So many programmers do not know how to defend against hacker attacks, asp.net some of the default properties such as the security has been controlled, which is why the ASP.net program is relatively safe reason!

Since the default value for this property is true, and ASP.net page of the postback is very frequent, so if there is no user interaction place, so that asp.net is not always to be neat and thorough, so it is possible to go back and forth the loss of the system's execution time, as follows: If there is no client interaction, In the end asp.net will not go to verify that this is a Microsoft engineer's problem, for us, if there is no client interaction place, I feel that this attribute should be set to false, so no matter how the Microsoft engineers design, to our program itself is not any impact!

But when we need to interact with the user, we have to use its default value, but things may not be as simple as we think, and not so perfect, when users in the use of some HTML editor, their own submission of the word character has such characters as <xxxxxxx>, This requires the programmer to turn off the validaterequest attribute, how can we control the security of the ASP.net page at this time?

Of course, this is the place where we can filter all the dangerous characters, which may improve security, but we prevent the user's input from being overlooked, which causes security to be problematic, and we can in turn consider how many special characters we need to submit, The special characters we submit are then escaped or replaced so that we can set the ValidateRequest property to true so that both the security of the program and our needs are met!

Sometimes when interacting with the user, users will inevitably have input special characters, because we set the value of the validaterequest is true so the page will not give any hint of the premise, directly output a large page of error messages, which may lead to the user's misunderstanding, They may think that there is a problem with our website, users can not think he entered the illegal characters! What should we do about this situation?

Luckily, Microsoft engineers gave a Page_Error handling event on page so we could use it to capture the code as follows:

protected void Page_Error (object sender, EventArgs e) 

{

Exception ex = Server.GetLastError ();

If (ex is httprequestvalidationexception)

{

Response.Write ("There are illegal characters in the character you entered!");

Server.ClearError (); 

}

}

With such a hint, the user experience may not know how many times better!

If you have more in-depth insights, welcome to the younger brother posted out, ~ ~ ~