However, even if the page fails validation, it is
still possible to access and use a value.
Check the Page??™s IsValid Property
Before Handling User-supplied Data
It is the developer??™s responsibility to check the Page??™s IsValid property. If reviewing an
application that makes use of validators, look for event handlers that do not immediately
check the value of the IsValid property.
Here??™s an example of an event handler that properly checks that the page has been
validated:
protected void SubmitButton_Click(object sender, EventArgs e)
{
//If the page is not valid then do nothing
//the validators will properly format the output.
if (Page.IsValid == false)
{
return;
}
//Insert Business Logic Here
}
Since validators require developers to be explicit about checking their results, validators
are often misused. Remember this rule: if the browser won??™t let an attacker submit evil
data, he will find a way to use tools such as WebScarab to get around that restriction.
Default Page Validation
In ASP.Net 2.0, Microsoft added new default page validation that is automatically associated
with every Submit action. This validation is intended to address XSS directly by inspecting incoming
requests and determining whether or not the client is attempting to submit malicious
data such as HTML or client-side script.
Pages:
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244