ASP.NET 1.1 adds a request validation feature designed to prevent
some types of script injection attacks. If request validation is
enabled (the default), ASP.NET will check all posted values, cookies,
and the query string for potentially dangerous input. One example of
potentially dangerous input is if the user enters a JavaScript block
into a textbox. This becomes a problem if your code attempts to
display the textbox content by writing it to a web page without first
encoding it using the HttpServerUtility.HtmlEncode(
) method. In this case, your page will not just display the
textbox contentsinstead, it will execute the script block.
With request validation, however, this shouldn't
occur, as ASP.NET will throw the
HttpRequestValidationException when a page with
potentially dangerous content is posted back to the server.
You can disable request validation by setting the
validateRequest attribute in the
Page directive to false. In
this case, your application should explicitly check or HTML encode
all user input. Note that request validation and the
HttpRequestValidationException class are only
found in Version 1.1 of the .NET Framework.
public sealed class HttpRequestValidationException : HttpException {
// No public or protected members
}
System.Exception(System.Runtime.Serialization.ISerializable)
