Request Validation in ASP.Net 4.5 Beta

Posted by on March 11, 2012

The next version of Microsoft’s ASP.Net framework is currently in Beta and there are some pretty cool changes to how Request Validation works in version 4.5.   Up until now, there were two ways to enable or disable request validation:

  1. Globally – This controls request validation for the entire application.
  2. Per Page – This controls request validation on a per-page basis.

In 4.5, the idea is to allow disabling request validation at the field level.  This is a huge improvement, because it allows request validation to be enabled on a much larger scale and only be disabled for specific functionality.  The first step in taking advantage of this is to make sure that the request validation mode is set to 4.5 in the web.config (shown below).

<system.web>
  <compilation debug="true" targetFramework="4.5" />
  <httpRuntime requestValidationMode="4.5" targetFramework="4.5" 
               encoderType="System.Web.Security.AntiXss.AntiXssEncoder, 
               System.Web, Version=4.0.0.0, Culture=neutral, 
               PublicKeyToken=b03f5f7f11d50a3a" />

 

Now that the application is set up for the new validation mode, we can start taking advantage of this.

There are two ways to disable request validation on a specific control, a textbox for example.  The first way, and probably the easiest, is to set the validation request mode to “disabled” in the html markup.  The code below shows how this would look.

<asp:TextBox ID="txtASPNet" ValidateRequestMode="Disabled" runat="server" />

The second way is to set the validation request mode programmatically.  This must be done in one of the earlier events for it to be effective.  During my testing, it worked in the Page_Init event, but not in the Page_Load event.  The code below shows how to do this in the Page_Init event.

protected void Page_Init(object sender, EventArgs e)
{
    txtASPNet.ValidateRequestMode = System.Web.UI.ValidateRequestMode.Disabled;
}

Web controls are not the only way to have such granular control over retrieving data without having it run the request validation.  A new collection that was added to the request object is called “Unvalidated”.   This collection allows accessing specific parameters, form variables for example, without checking the value against request validation.  This is possible because Request validation has been modified to run when a variable is used, not when the request is made.   It is important to note that web controls are always used, because the framework populates the controls automatically.  Lets take a look at accessing an html input field without triggering request validation.

protected void cmdTest_Click(object sender, EventArgs e)
{
    // Access directly from the Unvalidated collection.
    Response.Write(Request.Unvalidated["txtHtml"].ToString());

    // Specify which Unvalidated collection to access.
    Response.Write(Request.Unvalidated.Form["txtHtml"].ToString());
}

As you can see, there are two ways to access the Unvalidated collections.  You can pass the index to the collection directly, or specify exactly which collection you want to retrieve this data from.  In this case, it was the forms collection. 

Through my testing, I have not yet been able to access Unvalidated.Querystring values because the URL gets run against Request Validation so an exception is thrown before I get a chance to access the unvalidated version.  I have not tried the other collections yet. 

It is important to remember that manual validation should be performed in addition to using Request Validation.  This is especially true for the unvalidated fields, but should also be practiced for fields that are validated.  Request Validation is a very limited input validation and does not perform enough validation to be appropriate on its own.

Comments

Comments are closed.