All geek questions in one place

Where to find or duplicate code that throws an HttpRequestValidationException

I have some PageMethods (static methods on page c <WebMethod>) defined on some pages and calling them using an ajax call. This POST to the server does not seem to raise ASP.NET code that would raise an HttpRequestValidationException if the submitted data is considered XSS possible, so I would like to duplicate this verification code to run it in my page methods.

Does anyone know the details of this code or where can I find it? I looked in the MS AntiXss library, but it only encodes, not checks, AFAIK.

Edit: or point me toward code or a library that does some similar validation.

+3
source share
1 answer

By analyzing the stack trace when a System.Web.HttpRequestValidationException exception fails, we can find out what code throws it.

System.Web.HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was found at the client (IdentifierTextBox = "

in System.Web.HttpRequest.ValidateString (String value, String collectionKey, RequestValidationSource requestCollection)

Using the Reflector, we find that the ValidateString calls: RequestValidator.Current.IsValidRequestString, which in turn calls CrossSiteScriptingValidation.IsDangerousString, which:

internal static bool IsDangerousString(string s, out int matchIndex)
{
matchIndex = 0;
int startIndex = 0;
while (true)
{
    int num2 = s.IndexOfAny(startingChars, startIndex);
    if (num2 < 0)
    {
        return false;
    }
    if (num2 == (s.Length - 1))
    {
        return false;
    }
    matchIndex = num2;
    char ch = s[num2];
    if (ch != '&')
    {
        if ((ch == '<') && ((IsAtoZ(s[num2 + 1]) || (s[num2 + 1] == '!')) || ((s[num2 + 1] == '/') || (s[num2 + 1] == '?'))))
        {
            return true;
        }
    }
    else if (s[num2 + 1] == '#')
    {
        return true;
    }
    startIndex = num2 + 1;
}
}
+3
source

Source: https://habr.com/ru/post/1702447/

More articles:


All Articles