HttpRequestValidationException Class
Definition
Important
Some information relates to prerelease product that may be substantially modified before it’s released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The exception that is thrown when a potentially malicious input string is received from the client as part of the request data. This class cannot be inherited.
public ref class HttpRequestValidationException sealed : System::Web::HttpException
public sealed class HttpRequestValidationException : System.Web.HttpException
[System.Serializable]
public sealed class HttpRequestValidationException : System.Web.HttpException
type HttpRequestValidationException = class
inherit HttpException
[<System.Serializable>]
type HttpRequestValidationException = class
inherit HttpException
Public NotInheritable Class HttpRequestValidationException
Inherits HttpException
- Inheritance
- Attributes
Examples
The following code example demonstrates how to check for malicious user input by using an HttpRequestValidationException.
Important
This example has a text box that accepts user input, which is a potential security threat. By default, ASP.NET Web pages validate that user input does not include script or HTML elements. For more information, see Script Exploits Overview.
<%@ Page Language="C#" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script runat="server">
void Button1_Click(object sender, EventArgs e)
{
Label1.Text = txt1.Text;
}
</script>
<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="Head1" runat="server">
<title>Untitled Page</title>
</head>
<body>
<form id="form1" runat="server">
<div>
<asp:TextBox id="txt1" Runat="server" />
<asp:Button ID="Button1" Runat="server" Text="Button" OnClick="Button1_Click" />
<br /><br />You entered: <asp:Label ID="Label1" Runat="server" Text="Label" />.
</div>
</form>
</body>
</html>
<%@ Page Language="VB" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script runat="server">
Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs)
Label1.Text = txt1.Text
End Sub
</script>
<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
<title>Untitled Page</title>
</head>
<body>
<form id="form1" runat="server">
<div>
<asp:TextBox id="txt1" Runat="server" />
<asp:Button ID="Button1" Runat="server" Text="Button" OnClick="Button1_Click" />
<br /><br />You entered: <asp:Label ID="Label1" Runat="server" Text="Label" />.
</div>
</form>
</body>
</html>
Remarks
Constraining and validating user input is essential in a Web application to prevent hacker attacks that rely on malicious input strings. Cross-site scripting attacks are one example of such hacks. Other types of malicious or undesired data can be passed in a request through various forms of input. By limiting the kinds of data that is passed at a low level in an application, you can prevent undesirable events, even when programmers who are using your code do not put the proper validation techniques in place.
Request validation detects potentially malicious client input and throws this exception to abort processing of the request. A request abort can indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. It is strongly recommended that your application explicitly check all input regarding request aborts. However, you can disable request validation by setting the validateRequest
attribute in the @ Page
directive to false
, as shown in the following example:
<%@ Page validateRequest="false" %>
To disable request validation for your application, you must modify or create a Web.config file for your application and set the validateRequest
attribute of the pages
section to false
, as shown in the following example:
<configuration>
<system.web>
<pages validateRequest="false" />
</system.web>
</configuration>
To disable request validation for all applications on your server, you can make this modification to the Machine.config file.
Note
It is strongly recommended that your application explicitly check all inputs it uses in addition to the request validation performed by ASP.NET. The request validation feature cannot catch all attacks, especially those crafted specifically against your application logic.
Constructors
HttpRequestValidationException() |
Creates a new instance of the HttpRequestValidationException class. |
HttpRequestValidationException(String, Exception) |
Initializes a new instance of the HttpRequestValidationException class with a specified error message and a reference to the inner exception that is the cause of the exception. |
HttpRequestValidationException(String) |
Creates a new HttpRequestValidationException exception with the specified error message. |
Properties
Data |
Gets a collection of key/value pairs that provide additional user-defined information about the exception. (Inherited from Exception) |
ErrorCode |
Gets the |
HelpLink |
Gets or sets a link to the help file associated with this exception. (Inherited from Exception) |
HResult |
Gets or sets HRESULT, a coded numerical value that is assigned to a specific exception. (Inherited from Exception) |
InnerException |
Gets the Exception instance that caused the current exception. (Inherited from Exception) |
Message |
Gets a message that describes the current exception. (Inherited from Exception) |
Source |
Gets or sets the name of the application or the object that causes the error. (Inherited from Exception) |
StackTrace |
Gets a string representation of the immediate frames on the call stack. (Inherited from Exception) |
TargetSite |
Gets the method that throws the current exception. (Inherited from Exception) |
WebEventCode |
Gets the event codes that are associated with the HTTP exception. (Inherited from HttpException) |
Methods
Equals(Object) |
Determines whether the specified object is equal to the current object. (Inherited from Object) |
GetBaseException() |
When overridden in a derived class, returns the Exception that is the root cause of one or more subsequent exceptions. (Inherited from Exception) |
GetHashCode() |
Serves as the default hash function. (Inherited from Object) |
GetHtmlErrorMessage() |
Gets the HTML error message to return to the client. (Inherited from HttpException) |
GetHttpCode() |
Gets the HTTP response status code to return to the client. (Inherited from HttpException) |
GetObjectData(SerializationInfo, StreamingContext) |
Gets information about the exception and adds it to the SerializationInfo object. (Inherited from HttpException) |
GetType() |
Gets the runtime type of the current instance. (Inherited from Exception) |
MemberwiseClone() |
Creates a shallow copy of the current Object. (Inherited from Object) |
ToString() |
Returns a string that contains the HRESULT of the error. (Inherited from ExternalException) |
Events
SerializeObjectState |
Obsolete.
Occurs when an exception is serialized to create an exception state object that contains serialized data about the exception. (Inherited from Exception) |