ValidateRequest in ASP.NET v1.1

Monday, May 5, 2003

There's been a lot of discussion lately, both here and elsewhere, on the ValidateRequest feature in ASP.NET v1.1. For those who aren't familiar with it, ASP.NET is basically checking all submitted form and querystring parameters, as well as cookies, for < and > to prevent script attacks. Its easy to turn off this feature when you need to allow for this type of input, just set ValidateRequest=false in Page directive or in the web.config file, but you should then be taking the appropriate precautions in your own code. Anyhow, the point of my post here is to APPLAUD Microsoft and the ASP.NET Team for the guts to add this new feature with it enabled by default (true)! Yes, this is breaking a lot of people's sites, but that's because they simply didn't read the docs or perform any significant testing before upgrading to the latest and greatest. That's right -- this feature has been documented all over the place since v1.1 came out in beta as something to watch out for when you upgrade. So why didn't MS just make the default to be false and avoid all the hassle that everyone is now experiencing? Security! Everyone has been complaining forever that MS doesn't make security a priority and that products ship with insecure features enabled. Well that's changed now -- as it should have -- so let's stop the grumbling simply because we were inconvenienced due to our own lack of due diligence. Yes, this can be interpreted as a breaking change, but this should be expected when something is done in the name of security for now on -- get over it!

Thank you Microsoft and the ASP.NET Team!

6 Comments

I'm with you on this. ValidateRequest is a great new feature and can only help by being enabled by default.

Chad Humphries - Monday, May 5, 2003 2:45:00 PM

I agree with Philip. I like this feature, but it breaks a site which supposed to be live!

In this case it should be in .Net 2.0 or disable by default.

If you have a site with dozens of page, some containing forms, some that you want to validate, it's a pain to change the code.

Paschal - Tuesday, May 13, 2003 7:34:00 AM

I don't think the problem is with ASP.NET 1.1 defaulting to ValidateRequest="True". The problem is that a default install of the 1.1 framework changes all existing ASP.NET projects to point at the 1.0 framework.

Dave R - Friday, May 16, 2003 2:59:00 PM

It's a pain to type this? How lazy can you be, one line to change the default for an application in the web.config if you really need to.

system.web

pages validateRequest="false" /

/system.web

Farlox - Friday, August 15, 2003 9:36:00 PM

Whine and complain, whine and complain. At least you have jobs/careers. Some people aren't so fortunate. Nobody wants to work anymore...just sit around and have microsoft do all your automation. Get yourself a clue. Be proactive.

TheTodd - Tuesday, August 19, 2003 6:02:00 PM

I think this feature is a pathetic attempt at security and a nuisance at best. Why is it that Microsoft can't write a RegEx that is a little more specific to malicious code?

Hm? <b> That seems threatening. *rolls eyes*

Here's a hint for Microsoft, match this instead: <script>

PC - Tuesday, December 16, 2003 9:49:00 PM

Comments have been disabled for this content.