ASP.NET Request Validation

= DRAFT DOCUMENT - WORK IN PROGRESS =

Description
Request validation is a feature in ASP.NET that examines HTTP requests and determines whether they contain potentially dangerous content. This check adds protection from markup or code in the URL query string, cookies, or posted form values that might have been added for malicious purposes. This exploit is typically referred to as a cross-site scripting (XSS) attack. Request validation helps to prevent this kind of attack by throwing a "potentially dangerous value was detected" error and halting page processing if it detects input that may be malicious, such as markup or code in the request.

Don't Rely on Request Validation for XSS Protection
Request validation is generally desirable and should be left enabled for defense in depth. It should NOT be used as your sole method of XSS protection, and does not guarantee to catch every type of invalid input. There are known, documented bypasses (such as JSON requests) that will not be addressed in future releases, and the request validation feature is no longer provided in ASP.NET vNext.

Fully protecting your application from malicious input requires validating each field of user supplied data. This should start with ASP.NET Validation Controls and/or DataAnnotations attributes to check for:
 * Required fields
 * Correct data type and length
 * Data falls within an acceptable range
 * Whitelist of allowed characters

Any string input that is returned to the client should be encoded using an appropriate method, such as those provided via AntiXssEncoder.

var encodedInput = Server.HtmlEncode(userInput);

Enabling Request Validation
Request validation is enabled by default in ASP.NET. You can check to make sure it is enabled by reviewing the following areas:

Selectively Disabling Request Validation
In some cases you may need to accept input that will fail ASP.NET Request Validation, such as when receiving HTML markup from the end user. In these scenarios you should disable request validation for the smallest surface possible.

ASP.NET Web Forms
For ASP.NET Web Forms applications prior to v4.5, you will need to disable request validation at the page level. Be aware that when doing this all input values (cookies, query string, form elements) handled by this page will not be validated by ASP.NET. <@ Page ValidateRequest="false" %>

Starting with ASP.NET 4.5 you can disable request validation at the individual server control level by setting  to "Disabled". 

ASP.NET MVC
To disable request validation for a specific MVC controller action, you can use the  attribute as shown below. [ValidateInput(false)] public ActionResult Update(int userId, string description)

Starting with ASP.NET MVC 3 you should use the  attribute to decorate specific fields on your view model classes where request validation should not be applied: public class User {   public int Id { get; set; } public string Name { get; set; } public string Email { get; set; } [AllowHtml] public string Description { get; set; } [AllowHtml] public string Bio { get; set; } }

Extending Request Validation
If you are using ASP.NET 4.0 or higher, you have the option of extending or replacing the Request Validation logic by providing your own class that descends from. By implementing this class, you can determine when validation occurs and what type of request data to perform validation on. public class CustomRequestValidation : RequestValidator {   protected override bool IsValidRequestString(        HttpContext context,         string value,         RequestValidationSource requestValidationSource,         string collectionKey,         out int validationFailureIndex) {       validationFailureIndex = -1;

// This is just an example and should not // be used for production code. if (value.Contains("<%")) {           return false; }       else // Leave any further checks to ASP.NET. {           return base.IsValidRequestString(                context,                 value,                 requestValidationSource,                 collectionKey,                 out validationFailureIndex); }   } } This class is then registered in web.config using  :   