-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider adding RequestValidator.Current.InvokeIsValidRequestString #262
Comments
@g2petter Can you share more about what you're using the @blowdart @GrabYourPitchforks Do you have any guidance on whether/how to approach replacing |
It would be replaced with a custom middleware in which you'd inspect and validate the properties you want to validate. Validating body elements would be difficult though, as you'd have to buffer, read the body, and then get asp.net to parse it for things like form elements. I'm not sure if you can plug into the pipeline at a point after the request has been parsed but before routing happens, @Tratcher may have some ideas. |
Middleware can easily read the request path, query, headers, and even small-medium forms. Validating request body content in any other format would require buffering and duplicate parsing. |
@adityamandaleeka, we're using the RequestValidator.Current.InvokeIsValidRequestString method to check if certain strings contain potential XSS attacks. |
Inspecting the input content is not a robust safety measure. A better approach is to ensure that all output values are properly encoded. |
We are also doing that. This is intended as an additional safety measure and to provide the submitting user with immediate feedback that the data isn't valid. In the process of updating another solution to .NET Standard 2.0 I have also found that the |
I'm trying to migrate a solution to .NET Standard 2.0 using the System.Web adapaters, and it's been working well until I came across a project where we use the
System.Web.Util
namespace, specifically theRequestValidator
.using System.Web.Util
results in "The type or namespace name "Util" does not exist [...]"Does this mean that the
Util
namespace isn't supported by this project? If so, are there any plans to add support for it later?The text was updated successfully, but these errors were encountered: