Lazy Request Validation in ASPDotNET 4.5 and AntiXSS

Lazy Request Validation is an interesting feature included as part of .NET Framework 4.5 and ASP.NET 4.5. By default all request data is subject to request validation. However, you can configure the application to defer request validation until you actually access request data.

You can configure the application to use deferred validation in the Web.config file by setting the requestValidationMode attribute to 4.5 in the httpRUntime element, as in the following example:

<p><font color="#c0504d"></font>&#160;</p><p><font color="#c0504d">&lt;httpRuntime requestValidationMode=&quot;4.5&quot; ... /&gt;</font></p><p><font color="#c0504d"></font>&#160;</p>
  • When request validation mode is set to 4.5, request validation is triggered only for a specific request value and only when your code accesses that value.
  • For example, if your code gets the value of Request.Form["forum_post"], request validation is invoked only for that element in the form collection. None of the other elements in the Form collection are validated.
  • Earlier versions of ASP.NET, request validation was triggered for the entire request collection when any element in the collection was accessed.

But the above setting will not solve the problem of avoiding request validation while reading form values using Request.Form, Request.QueryString etc.  By default all the calls to Request.Form, Request.QueryString, Request.Cookies, Request.Url are validated.

To programmatically read the non validated form, querystring  values, you have to use the new HttpRequest.Unvalidated property  in to read the unvalidated form value. Unvalidated is a collection property inside HttpRequest class which will access to all of the common values of request data, like Form, QueryString, Cookies, and Url.
An example on how to use Unvalidated property:

<p><font color="#c0504d"></font>&#160;</p><p><font color="#c0504d">context.Request.Unvalidated.Form[“forum_post”]</font>   </p><p>//this will give you access in reading the form values without triggering request validation like in Request.Form</p><p>&#160;</p>

AntiXSS Feature

Another interesting addition to Request Validation process is that now ASP.NET runtime is now integrated with famous Microsoft AntiXSS Library. ASP.NET 4.5 now incorporates core encoding routines from version 4.0 of Microsoft AntiXSS library.

The encoding routines are implemented by the AntiXssEncoder type in the new System.Web.Security.AntiXss namespace.

You can use the AntiXssEncoder type directly by calling any of the static encoding methods that are implemented in the type.

Easiest implementation would be using the new anti-XSS routines is to configure an ASP.NET application to use the AntiXssEncoder class by default.

Enable it by add the following attribute to the Web.config file:

<p><font color="#c0504d"></font>&#160;</p><p><font color="#c0504d">&lt;httpRuntime ...<br />&#160; encoderType=&quot;System.Web.Security.AntiXss.AntiXssEncoder,System.Web, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a&quot; /&gt;</font></p><p><font color="#c0504d"></font>&#160;</p>

When the encoderType attribute is set to use the AntiXssEncoder type, all output encoding in ASP.NET automatically uses the new encoding routines.


Below are different other Microsoft AntiXSS library v4.0 features that have been incorporated into ASP.NET 4.5:

  • HtmlEncode, HtmlFormUrlEncode, and HtmlAttributeEncode
  • XmlAttributeEncode and XmlEncode
  • UrlEncode and UrlPathEncode (new)
  • CssEncode

For more references read MSDN Articles :

Request Validation in ASP.NET 4.5

New ASP.NET Request Validation Features (What’s New whitepaper)

Microsoft Anti-Cross Site Scripting Library V4.2

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.