Request Validation Rant

Monday, May 5, 2003

No, it's not the rant you've seen already regarding what a pain it is that Microsoft enables this feature by default.

No, my rant is that I've seen too many developers, some of whom I respect and know to be very smart people blithely recommend turning this feature off at the machine or application level. For example:

Today I installed V1.1 of the framework. It was great, I installed the PocketPC version of TaskVision, deployed it to the emulator and "poooof" - there it was, like magic, my first deployment of a PocketPC application {takes a majestic bow}.

After that magnificent victory I strode back to Mt. Doom to do battle with the Dark Forces of Sauron (a.k.a. CMS 2002) :-) Guess what happened next?

> Server Error in '/Blah' Application.
> -----------------------------------------------------------
> A potentially dangerous Request.Form value was detected from the client

Would you look at that... my app just broke. Just when I finally thought that I'd worked out CMS2002, the rug got pulled out from under me ;-)

I haven't bothered to check as yet, but, I imagine that the validateRequest Page attribute must have existed in V1.0 and that its value was set to false by default in the machine configuration file and that V1.1 decided that we needed to have it. I guess that I should go on record as saying that, "I don't believe that we needed to have it.".

To disable it, you can turn it off in the config file like so:

<system.web>
<pages validateRequest="false" />
system.web>
[Darren Neimke]

Now I can understand the frustration with breaking changes, but like Paul Wilson, I applaud the ASP.NET team for including this feature in v1.1 and for turning it on by default. And I'm a little miffed that after all of the complaints Microsoft has had to endure about non-secure defaults, the reaction to a default setting that can (if not blithely disabled) eliminate scores of web application vulnerabilities has been less than encouraging, at best.

I'll grant that folks like Darren are probably experienced enough to take care of filtering or encoding input on their own. But I'd hope that they would also recognize that folks who read their blogs may not be. And telling folks "here's how you disable this PITA feature" without warning them that by disabling Request Validation, they will be vulnerable to cross-site scripting attacks unless they specifically ensure that they filter or encode user input before displaying it, is not a good idea, IMO. So please...a request to my fellow developers. If you're going to diss Request Validation, at least provide a caveat before telling people how to disable it.

[Listening to: I-Gnomus - Berliner Philharmoniker - Pictures at an Exhibition/The Firebird Suite (02:46)]

Its nice to see some agreement since I was afraid I was all alone from looking at the way this has been treated so far. Thanks.

Paul Wilson - Monday, May 5, 2003 3:12:00 PM

Point taken Andrew... in my defence, I wasn't mentally sound when I wrote that post ;-)

Darren Neimke - Monday, May 5, 2003 4:41:00 PM

No worries, Darren. I figured as much. We all write things when we're frustrated that we might not otherwise. Just to show there's no hard feelings, I've bought 100 shares of your blog at blogshares.com. :-)

G. Andrew Duthie - Monday, May 5, 2003 5:15:00 PM

3 Comments