As part of a project to secure Hunter HRMS application by Niloosoft I encountered a problem with ASP.NET's ValidateRequest feature. It seems to cause validation errors not only on characters such as < >, but also on special text characters from different languages. I didn't want to disable ValidateRequest (not for the entire application in web.config, and not even for the specific page), because it is a valuable security feature. So I found the following solution, to get around ValidateRequest for a specific text box:
On the client, I catch the submit button onclick event. I then put in the TextBox using Javascript the url-encoded values of the textbox. This would look something like this:
document.getElementById("txtName").value = encodeURIComponent(document.getElementById("txtName").value);
Note that encodeURIComponent() is a built-in javascript function. You can Google it for more information, but basically it does exactly what it says - applies url encoding to its input. It also encodes url-characters such as / & ?, because it is designed to encode a portion of a url string, thus these values are encoded.
Now, on the server side, all you need to do is decode the text using Server.UrlDecode().
Incidently, this may cause 2 problems: (1) While the page posts back, the user would see the value in the text-box changes to the encoded value (2) In case there is an error in the postback, the encoded value would remain in the text-box instead of the real value. To overcome these problems, what I did was this: (a) I put the encoded value in a hidden field instead of the original text-box. (b) I set the text-box to disabled to prevent its value from posting back to the server and causing an error (make sure the form's "SubmitDisabledControls" property is set to false) (c) On the page's OnPreLoad event I decoded the value in the hidden field, and put it back in the text-box. These handlings worked perfectly.
This is a great way to get around ValidateRequest for a specific text box. But note this: make sure to html-encode the value when you display it in labels - because it might include malicious script (as it bypassed the ValidateRequest check !) ! But this is another subject (you can look up anti-xss).
If this post helped you, please let me know by posting a comment !
Wednesday, May 18, 2011
Sunday, May 1, 2011
How to get rid of padded zeroes after decryption
This is how I got rid of padded zeroes after using RijndaelManaged encryption:
// Find the index of the last one appended zero
int i = plainbytes.Length - 1;
for (; i > 0; i--)
{
if (plainbytes[i] != 0)
{
i++;
break;
}
}
// Here i means the number of bytes to take from the array.
return plainbytes.Take(i).ToArray();
// Find the index of the last one appended zero
int i = plainbytes.Length - 1;
for (; i > 0; i--)
{
if (plainbytes[i] != 0)
{
i++;
break;
}
}
// Here i means the number of bytes to take from the array.
return plainbytes.Take(i).ToArray();
If you turn the byte[] first to string, then you can clean out the string as follows:
// Find the index of the last one appended zero
int i = decryptedString.Length - 1;
for (; i > 0; i--)
{
if (decryptedString[i] != '\0')
{
i++;
break;
}
}
// Here i means the number of bytes to take from the array.
decryptedString = decryptedString.Substring(0, i);
Subscribe to:
Posts (Atom)