drawbacks of using ValidateRequest=“false” asp.net
Question
I have a asp.net page with text editor. I am passing html to server side. So I started getting error like potentially dangerous script.
So I google it and found a solution on this site
ValidateRequest=“false”
with above code in page directive solved the error but I like to know if there any drawbacks to using ValidateRequest=“false”
1 answers
solution1
1 ACCPTED 2014-10-17 08:15:43
You should now be mindful of XSS (Cross Site Scripting) attacks. ValidateRequest=true protected you against XSS by disallowing potentially dangerous HTML script tags. I would suggest that you disable ValidateRequest only for the pages where you accept HTML. This can be done using this directive at the top of the page.
<%@ Page ValidateRequest="false" %>.
Even in the cases where you accept html, on the C# side you would want to do some processing to sanitize the HTML you received by maintaining a whitelist. This article is a good resource for a simple HTML sanitizer - HTML Agility Pack strip tags NOT IN whitelist
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.