RequestValidator Class
Definition
Important
Some information relates to prerelease product that may be substantially modified before it’s released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Defines base methods for custom request validation.
public ref class RequestValidatorpublic class RequestValidatortype RequestValidator = classPublic Class RequestValidator- Inheritance
-
RequestValidator
Examples
The following example shows how to create a custom request validator that allows only a specific string to be used for query-string values.
using System;
using System.Web;
using System.Web.Util;
public class CustomRequestValidation : RequestValidator
{
public CustomRequestValidation() { }
protected override bool IsValidRequestString(
HttpContext context, string value,
RequestValidationSource requestValidationSource, string collectionKey,
out int validationFailureIndex)
{
validationFailureIndex = -1; //Set a default value for the out parameter.
//This application does not use RawUrl directly so you can ignore the check.
if (requestValidationSource == RequestValidationSource.RawUrl)
return true;
//Allow the query-string key data to have a value that is formatted like XML.
if ((requestValidationSource == RequestValidationSource.QueryString) &&
(collectionKey == "data"))
{
//The querystring value "<example>1234</example>" is allowed.
if (value == "<example>1234</example>")
{
validationFailureIndex = -1;
return true;
}
else
//Leave any further checks to ASP.NET.
return base.IsValidRequestString(context, value,
requestValidationSource,
collectionKey, out validationFailureIndex);
}
//All other HTTP input checks are left to the base ASP.NET implementation.
else
{
return base.IsValidRequestString(context, value, requestValidationSource,
collectionKey, out validationFailureIndex);
}
}
}
Imports System.Web
Imports System.Web.Util
Public Class CustomRequestValidation
Inherits RequestValidator
Public Sub New()
End Sub
Protected Overloads Overrides Function IsValidRequestString(ByVal context As HttpContext, ByVal value As String, _
ByVal requestValidationSource__1 As RequestValidationSource, _
ByVal collectionKey As String, _
ByRef validationFailureIndex As Integer) As Boolean
validationFailureIndex = -1 ' Set a default value for the out parameter.
' This application does not use RawUrl directly so you can ignore the check.
If requestValidationSource__1 = RequestValidationSource.RawUrl Then
Return True
End If
' Allow the query-string key data to have a value that is formated like XML.
If (requestValidationSource__1 = RequestValidationSource.QueryString) AndAlso (collectionKey = "data") Then
' The query-string value "<example>1234</example>" is allowed.
If value = "<example>1234</example>" Then
validationFailureIndex = -1
Return True
Else
' Leave any further checks to ASP.NET.
Return MyBase.IsValidRequestString(context, value,
requestValidationSource__1, collectionKey,
validationFailureIndex)
End If
Else
' All other HTTP input checks are left to the base ASP.NET implementation.
Return MyBase.IsValidRequestString(context, value, requestValidationSource__1, collectionKey, validationFailureIndex)
End If
End Function
End Class
The following example shows how to configure ASP.NET to use the custom validator in the Web.config file for an application.
<system.web>
<httpRuntime requestValidationType="CustomRequestValidation" />
</system.web>
Remarks
By default, ASP.NET does not validate requests until code explicitly requests a value from the request. For example, ASP.NET does not validate query-string values until code accesses the QueryString collection. By default, ASP.NET also does not validate some types of request data, such as form values, cookies, the names of files that have been uploaded using HTTP, and the value of the RawUrl property.
The RequestValidator class is a base class that you can implement in order to provide custom request validation. By implementing this class, you can determine when validation occurs and what type of request data to perform validation on.
By default, ASP.NET provides cross-site scripting (XSS) checks. However, you can supplement or replace the request validation logic that is provided in ASP.NET by creating a custom implementation of the XSS. For example, you can write a custom request validation implementation that scans for SQL injection attacks in addition to checking for XSS attacks.
To create custom request validation, you write a custom class that derives from the RequestValidator base class. You then configure ASP.NET to use the custom request validator in the application-level Web.config file. You can put the custom class in the App_Code folder, in a compiled class library in the Bin folder, or in a compiled class library in the GAC.
Note
Only one custom request validation type can be configured for an application. It is not possible to configure a different request validation type for individual virtual paths or pages.
Constructors
| RequestValidator() |
Initializes a new instance of the RequestValidator class. |
Properties
| Current |
Gets or sets a reference to the current RequestValidator instance that will be used in an application. |
Methods
| Equals(Object) |
Determines whether the specified object is equal to the current object. (Inherited from Object) |
| GetHashCode() |
Serves as the default hash function. (Inherited from Object) |
| GetType() |
Gets the Type of the current instance. (Inherited from Object) |
| InvokeIsValidRequestString(HttpContext, String, RequestValidationSource, String, Int32) |
Provides a public method that calls the protected IsValidRequestString(HttpContext, String, RequestValidationSource, String, Int32) method in order to validate HTTP request data. |
| IsValidRequestString(HttpContext, String, RequestValidationSource, String, Int32) |
Validates a string that contains HTTP request data. |
| MemberwiseClone() |
Creates a shallow copy of the current Object. (Inherited from Object) |
| ToString() |
Returns a string that represents the current object. (Inherited from Object) |
