Request validation is enabled by default in ASP.NET and it basically stops people from submitting a form with HTML in any of the input fields. It’s a little more sophisticated than that, but basically it just looks for HTML tags and if it finds any, it throws an exception and the form is prevented from being posted.

However, you often want people to be able to write HTML tags in your forms. That’s why most people turn it off either globally in web.config or on the individual pages hosting a form and then just HTML encodes the values. I’ve done it reluctantly myself many times, but there is a smarter way to allow HTML input without turning request validation off.

What if we could just HTML encode all input fields just before the form is submitted? That way we could benefit from request validation and the security it offers out of the box. By having request validation enabled, you also make it impossible for spambots to post links in your form.

The easiest way of doing this is to create a custom server control that inherits from System.Web.UI.WebControls.TextBox and add a little JavaScript magic. I’ve written a SafeTextBox class that HTML encodes its value client-side and then HTML decodes the value again server-side. That way it can be treated just like a normal TextBox.

[code:c#]

public class SafeTextBox : System.Web.UI.WebControls.TextBox
{
 protected override void OnLoad(System.EventArgs e)
 {
  base.OnLoad(e);
  if (!Page.ClientScript.IsClientScriptBlockRegistered(Page.GetType(), "TextBoxEncode"))
  {
   System.Text.StringBuilder sb = new System.Text.StringBuilder();
   sb.Append("function TextBoxEncode(id)");
   sb.Append("{");
   sb.Append("var tb = document.getElementById(id);");
   sb.Append("tb.value = tb.value.replace(new RegExp('<', 'g'), '&lt;');");
   sb.Append("tb.value = tb.value.replace(new RegExp('>', 'g'), '&gt;');");
   sb.Append("}");
   Page.ClientScript.RegisterClientScriptBlock(Page.GetType(), "TextBoxEncode", sb.ToString(), true);
  }

  // Adds the function call after the form validation is called.
  if (!Page.IsPostBack)
   Page.Form.Attributes["onsubmit"] += "TextBoxEncode('" + ClientID + "');";
 }

 public override string Text
 {
  get { return base.Text; }
  set
  {
   if (!string.IsNullOrEmpty(value))
    base.Text = value.Replace("&lt;", "<").Replace("&gt;", ">");
   else
    base.Text = value;
  }
 }
}

[/code]

The way the SafeTextBox HTML encodes/decodes is not very sophisticated but it works. You can add your own logic to the encoding/decoding if you feel the need.

To roll this out on your own website, just dump the SafeTextBox class in the App_Code folder and hook it up using tag mapping.

In the last couple of months I’ve been getting more and more attacks through the use of URL parameters. What happens is that I get a lot of requests to the pages that has URL parameters and then the hacker or robot tries to do SQL injection by adding code to the parameters.

This is one of the pages where this happens:

http://blog.madskristensen.dk/?year=2006&month=5

and this is the request that is made to that page by the robot:

http://blog.madskristensen.dk/?year=2006&month=5 and user>0

In my case nothing happens since BlogEngine isn’t vulnerable to these kinds of attacks, but it definitely is a reminder to always make sure that SQL injection attacks cannot happen from URL parameters like this. It was only when I counted the number of these attacks made to this website that I realized just how many I get on a daily basis. Be careful.