What characters or character combinations are invalid when ValidateRequest is set to true?
I've tried looking at the Microsoft site and Googling this but nobody seems to have an answer aside from the < and the >. There's more to it than that though. I've noticed that the HTML entity starter of &# is invalid. Is there anything else? Does anyone have a complete list?
1.1 Framework Validation:
* &# * <alpha, <!, </ * script * On handlers like onmouseenter, etc… * expression( * Looks for these starting characters (‘<’, ‘&’, ‘o’, ‘O’, ‘s’, ‘S’, ‘e’, ‘E’)
This is obviously a pretty strict list of items that would trigger a validation error. In the 2.0 Framework, Microsoft decided to loosen the restrictions on this quite a bit. Below is the list of validation checks in the 2.0 Framework.
2.0 Framework Validation:
* &# * <alpha, <!, </, <? * Looks for these starting characters (‘<’, ‘&’)
I dont have a complete list, but why do you need it? You can set ValidateRequest=false and prevent for Script Injection for yourself.
Maybe you will find the list here: Allowing percents, angle-brackets, and other naughty things in the ASP.NET/IIS Request URL