4

In the past, I've been accustomed to being able to use request validation as a first line of defense for XSS.

However, I don't seem to be able to get the validation to kick in.

<httpRuntime requestValidationMode="4.5"/>

<configuration>
    <system.web>
        <pages validateRequest="true" />
    </system.web>
</configuration>

Regardless of this configuration, errors are not thrown and validation is not being run. Is there some other global way to enable/disable validation that I am missing?

Improve this question
5
  • validations are not being hit where: client or server? Commented Nov 22, 2016 at 22:46
  • As in request validation is not triggering when a form is posted to the controller. Commented Nov 22, 2016 at 22:51
  • So in C# code, not javascript. Ok where is your model, can wee see it? Commented Nov 22, 2016 at 22:52
  • To confirm, you're not using any of the newfangled OWIN/Katana stuff, but "classic" IIS-hosted application? Commented Nov 22, 2016 at 22:55
  • Also, what kinds of input are you testing with? Commented Nov 22, 2016 at 22:56

1 Answer 1

Reset to default
1

There are enhancements added to request validation starting with ASP.NET 4.5 that include deferred ("lazy") validation, the ability to opt-out at the server control level, and the ability to access unvalidated data. In order to leverage these enhancements you will need to ensure that requestValidationMode has been set to "4.5"

web.config:

<configuration>
  <system.web>
    <httpRuntime requestValidationMode="4.5"/>
  </system.web>
</configuration>

from: https://www.owasp.org/index.php/ASP.NET_Request_Validation

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.