Share via

Validation Class

  • Article

Note: This API is now obsolete.

Excludes fields of the Request object from being checked for potentially unsafe HTML markup and client script.

Inheritance Hierarchy

System.Object
  System.Web.Helpers.Validation

Namespace:  System.Web.Helpers
Assembly:  System.Web.WebPages (in System.Web.WebPages.dll)

Syntax

'Declaration
<ExtensionAttribute> _
<ObsoleteAttribute("Use System.Web.HttpRequest.Unvalidated instead.")> _
Public NotInheritable Class Validation
'Usage

[ObsoleteAttribute("Use System.Web.HttpRequest.Unvalidated instead.")]
public static class Validation

[ExtensionAttribute]
[ObsoleteAttribute(L"Use System.Web.HttpRequest.Unvalidated instead.")]
public ref class Validation abstract sealed

[<AbstractClassAttribute>]
[<SealedAttribute>]
[<ObsoleteAttribute("Use System.Web.HttpRequest.Unvalidated instead.")>]
type Validation =  class end

public final class Validation

Methods

  Name Description
Public methodStatic member Unvalidated(HttpRequest) Returns a version of form values, cookies, and query-string variables without checking them first for HTML markup and client script.
Public methodStatic member Unvalidated(HttpRequestBase) Returns all values from the Request object (including form fields, cookies, and the query string) without checking them first for HTML markup and client script.
Public methodStatic member Unvalidated(HttpRequest, String) Returns a value from the specified form field, cookie, or query-string variable without checking it first for HTML markup and client script.
Public methodStatic member Unvalidated(HttpRequestBase, String) Returns the specified value from the Request object without checking it first for HTML markup and client script.

Top

Remarks

Request validation checks for HTML markup and client script when a page is submitted. Validation examines form fields, cookies, and query-string variables. By default, if any markup or script is detected, ASP.NET throws an exception and the page is not processed. This helps protect the web application against security exploits such as cross-site scripting (XSS) attacks.

In some instances, it is useful to let users submit markup in specific fields (input and textarea elements) on a page. For example, this is typical in a field where users can enter free-form comments. In that case, you can exclude that field from request validation, and users can include markup such as <b>, <em>, and so on.

Security noteSecurity Note

If you exclude a field from request validation, you must check it yourself to be sure it does not include malicious markup or code.

Note

The methods in this class are not intended to be called directly. For example, to exclude httpRequest, you would not use System.Web.Helpers.Validation.Unvalidated(httpRequest). Instead, use Request.Unvalidated(httpRequest).

Thread Safety

Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.

See Also

Reference

System.Web.Helpers Namespace

Other Resources

"Potentially Dangerous" errors in ASP.NET Web Pages (Razor)

XSS (Cross Site Scripting) Prevention Cheat Sheet