Consider adding RequestValidator.Current.InvokeIsValidRequestString #262
Comments
|
@g2petter Can you share more about what you're using the @blowdart @GrabYourPitchforks Do you have any guidance on whether/how to approach replacing |
adityamandaleeka
added
the
needs author feedback
|
It would be replaced with a custom middleware in which you'd inspect and validate the properties you want to validate. Validating body elements would be difficult though, as you'd have to buffer, read the body, and then get asp.net to parse it for things like form elements. I'm not sure if you can plug into the pipeline at a point after the request has been parsed but before routing happens, @Tratcher may have some ideas. |
|
Middleware can easily read the request path, query, headers, and even small-medium forms. Validating request body content in any other format would require buffering and duplicate parsing. |
|
@adityamandaleeka, we're using the RequestValidator.Current.InvokeIsValidRequestString method to check if certain strings contain potential XSS attacks. |
|
Inspecting the input content is not a robust safety measure. A better approach is to ensure that all output values are properly encoded. |
|
We are also doing that. This is intended as an additional safety measure and to provide the submitting user with immediate feedback that the data isn't valid. In the process of updating another solution to .NET Standard 2.0 I have also found that the |
twsouthwick
changed the title
I'm trying to migrate a solution to .NET Standard 2.0 using the System.Web adapaters, and it's been working well until I came across a project where we use the
System.Web.Utilnamespace, specifically theRequestValidator.using System.Web.Utilresults in "The type or namespace name "Util" does not exist [...]"Does this mean that the
Utilnamespace isn't supported by this project? If so, are there any plans to add support for it later?The text was updated successfully, but these errors were encountered: