TechQA.

Why does ASP.NET dangerous request validation work this way?

51 views Asked by At

Can anyone point me in the right direction with the following question.

The default "Dangerous Request" validation in ASP.NET prohibits inputs like

"<p", "<p>" or "<script>"

but at the same time allows inputs like

"<%script>" or "<.script>"

What is the rational here?

asp.net validation dangerous-request
Original Q&A
1

There are 1 answers

6
Richard On

<p, <p> or <script>

These look like HTML/XML tags.

<%script> or <.script>

but these do not.

And the validation is trying to stop cross site scripting, eg. submitting a field containing:

<script>alert("You're powned!")</script>

(except truly malicious) and when you just write that text back to the user without being careful to encode correctly the user has just injected code into your website.

Related Questions in ASP.NET

Related Questions in VALIDATION

Related Questions in DANGEROUS-REQUEST

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions