Changes in Asp.Net Request Validation

Hi,

When a page is submitted, users can also script along with the post data. Also unauthorized postback could be triggered. The event validation mechanism reduces the risk of unauthorized postback requests and callbacks when the EnableEventValidation property is set to true. This would help and provide default level of protection against cross site scripting.

In the previous versions of Asp.Net request validation was turned on by default but the validation would only apply to the asp.net pages (aspx pages and their code behind). This means there is no validation for other files requested like css, image etc.

In Asp.Net 4.0 this behavior has been changed by default and now the by default the validation takes place for all Asp.Net resources, webservices etc and not just aspx pages.

Now the validation is enabled even before the BeginRequest phase of HTTP request life cycle. As a result of this request validation errors might now occur for requests that previously did not trigger errors. To revert to the behavior of the ASP.NET 2.0 request validation feature, add the following setting in the Web.config file:

<httpRuntime requestValidationMode="2.0" />

Vikram