ASP.NET, by default, validates whether there are HTML elements and other special characters in the data sent by the server. The reason for this is protection against vulnerabilities such as HTML Injections and Script Injections.
Injections of HTML can have many bad consequences, among them access to user cookies, allowing the attacker to pass through another user or the modification of the page content seen by the victims.
An HTML injection can lead to exploiting a more serious vulnerability that is XSS (Cross Site Scripting) . An XSS attack occurs when the attacker is able to use a Web application to send malicious scripts to other users. The user's browser has no way of knowing that the script is unreliable and so it runs it. Because the script comes from a trusted source, this script can access cookies, session keys, and other sensitive information from the user accessing that site.
All of these injections can be avoided by validating the content submitted in the request, and ASP.NET already does this for you when the ValidateRequest
setting is turned on. Note that this setting can be done per page, by Web.Config (for entire application) and even by control ( ValidateRequestMode="Disabled|Enabled|Inherit"
).
Read more on:
-
About HTML Injection and XSS:
link
link
-
An ASP.NET-centric view of injection types:
link
-
Setting options for ValidateRequest
:
link