In Asp.Net 4.5 there is a major improvement from point of view of security by RequestValidationMode.
Now with asp.net 4.5 requestvalidation for all HttpRequests (emphasis on "all") there is one flag set which checks all the request data for any malicious data which is hinting towards any malicious attacks in terms of XSS, or sql injection or any anonymous script block to be executed.
Prior to 4.5 and 4.0 requestvalidation was available for only Page requests but now with 4.5 with all HttpRequests since nowdays httprequests comes in form RESTApi also and now Http is more prominent language of the web then the html istelf and web has started talking more in terms of Http then HTML.
In Asp.net 2.0 if we want to ever save any data with any special character like <b>Bob<./b> coming from any of the textbox we have to put whole page at risk by putting @ValidateRequest attribute to False but with asp.net 4.0 request validation you dont have to put whole page at risk since you can control it at request level, page level and yes not at control level also.
Asp.Net 4.5 has introduced concept of lazy request validation feature which says that request validation will be triggered only if the control which is accessed is code have some malicious code inside it like <b>Bob</b> if that control is not accessed it will not be validated thus improving upon the performance also since its last implementation.
In order to utilize lazy request validation feature of Asp.Net 4.5 one has to make following entry in web.config
<system.web>
<httpRuntime requestValidationMode="4.5" />
</system.web>
Any value less then 4 for requestValidationMode like 3,3.9,2.5 will make the requestValidation behave in 2.0 mode.Now if we want to access the value while taking benefit of request validation following the format to access the value. Using following we can access the unvalidated value of txtName.
Request.Unvalidated.Form["txtName"];
Another new feature which is very useful it ValidateRequestMode property which is set to Enabled by default so if for any control or set of control if you want that its values are not validated you can set ValidateRequestMode property to Disabled.
No comments:
Post a Comment