ASP.NET includes a feature designed to automatically combat script injection attacks, known as request validation. Two ways to disable request validation:
- Disable for individual page
<%@ Page ValidateRequest="false" Language="C#" AutoEventWireup="true" CodeFile="Default.aspx.cs" Inherits="_Default" %> - Disable the entire web application by modifying the web.config
<configuration> <appSettings/> <connectionStrings/> <system.web> <pages validateRequest="false"/> </system.web> </configuration>
To prevent these script injection attacks, use Server.HtmlEncode:
Response.Write("Entered Input is:" + Server.HtmlEncode(txtInput.Text));
HtmlEncode replaces characters that have special meaning in HTML-to-HTML variables that represent those characters. For example, < is replaced with < and ” is replaced with “. Encoded data does not cause the browser to execute code. Instead, the data is rendered as harmless HTML.
By Bryan Xu