What characters or character combinations are invalid when ValidateRequest is set to true?

I've tried looking at the Microsoft site and Googling this but nobody seems to have an answer aside from the < and the >. There's more to it than that though. I've noticed that the HTML entity starter of &# is invalid. Is there anything else? Does anyone have a complete list?

Thanks!

Answers


List of characters by framework version

1.1 Framework Validation:

* &#
* <alpha, <!, </
* script
* On handlers like onmouseenter, etc…
* expression(
* Looks for these starting characters (‘<’, ‘&’, ‘o’, ‘O’, ‘s’, ‘S’, ‘e’, ‘E’)

This is obviously a pretty strict list of items that would trigger a validation error. In the 2.0 Framework, Microsoft decided to loosen the restrictions on this quite a bit. Below is the list of validation checks in the 2.0 Framework.

2.0 Framework Validation:

* &#
* <alpha, <!, </, <?
* Looks for these starting characters (‘<’, ‘&’)

I dont have a complete list, but why do you need it? You can set ValidateRequest=false and prevent for Script Injection for yourself.

Maybe you will find the list here: Allowing percents, angle-brackets, and other naughty things in the ASP.NET/IIS Request URL


Need Your Help

Sql Azure Database Backup and Restore using C#

c# asp.net azure-sql-database dac

I am working on Sql Azure Database Backup and restore functionality.

Automatically falling back to solid color when gradient is not supported

javascript android html css cordova

So, I'm working on a mobile app, and, as you know, the older phones don't support CSS gradients.