Cross-site scripting (XSS) is a problem that ASP.NET helps you deal with by not allowing any "malicious" (I'm interpreting this as HTML tags, whether it's <0BJECT> or <i>) input in the Request object, by default. This behaviour can be switched off by setting the "ValidateRequest" Page directive to "false" and you can do your own validation à la Peter van Ooijen's "Protecting an ASP.NET page against malicious input with ValidateRequest (A potentially dangerous Request.Form value was detected)" post.
System.Web.HttpRequestValidationException exception is raised which I handle through my error page.
The validation control merely forewarns the user and in my mind is enough to prevent accidental or curious users from entering HTML tags in free-text data entry fields.
Note: I figured out the regex using http://www.regular-expressions.info/reference.html - the regex matches strings from start to end (the first ^ character and closing dollar sign) where there are no occurences of the characters in the square brackets. Initially I thought that the angle bracket characters would need to be escaped, but they don't.
posted @ Wednesday, December 07, 2005 8:34 PM