. Topicala Page Index Token

A Journal about the experiences I have developing little applications in C#, Perl, Html and Javascript and talking about things new things that I use. Always Geeky; Always Nerdy; Always poor Grammer!

I am a Software Analyst Developer working in Southport, England but living in Liverpool. I develop mainly in C# and ASP.Net. I have been developing comercial software for several years now. I maintain this site (hosted at SwitchMedia UK) as a way of exploring new technologies (such as AJAX) and just generally talking about techie geek issues. This site is developed through a host of Perl scripts and a liberal use of Javascript. I enjoy experimenting with new technologies and anything that I make I host here.

Quick Search

Web www.kinlan.co.uk

Sunday, May 22, 2005

ASP.Net Query Parameter Validation

I have just been thinking about a subject that has always concerned me with ASP.Net. By Default ASP.Net won't allow certain characters through on the querystring that could potentially cause security problems (such as Cross Site Scripting attacks). The Developer has the opportunity to turn this feature off, but would be required to validate all the elements themselves.

I have just been thinking, wouldn't it be good if when a Page Class is defined you could provide some predicates that must be true for the page not to invalid. For instance a developer could provide a list of all the accepted query parameters and their datatypes and the runtime will take car of validating it automatically. I know you can have custom validators and the like but they must always be called via validate.

Wouldn't it be nice if you could do something like:

protected TextBox inputName;
protected TextBox inputAge;

[QuertParameterValidFields(inputName, inputAge)]
public class TestPage: Page

I am not too sure if this type of thing has been done before, or even if it has any advantages over CustomValidaters etc.

I just thought it might be quite handy, because you could seperate the types out so that a Text attribute wouldn't allow HTML/XML characters and it would remove this before the page is completely loaded. So that once the developer sees the data it is HTML safe.

I will have more of a think about this :).

Comments: [Add New]

Ah, could be a nice use of aspect-orientation. I guess it'd be a case of writing a custom attibute class ("QueryParameterValidation"), and testing for it on page initialization, adding validator controls to the control tree as necessary. I found a couple of other ways to do aspects in ASP.NET. You can extend the IExtenderProvider interface (not officially supported in Web Forms but possible via a hack) or create an aspect component that, when dropped on a .aspx page, can affect the behaviour of other controls it is associated with.

By Phil C, at Friday, May 27, 2005 7:54:00 PM

Yeah I was thinking of things like that. I have seen the IExtenderProvider (ala Tooltips) in WinForms but never used it. I will add that into my thoughts on this subject.

I generally think it will be a good idea. I am not too sure how to deal with Dynamically created controls. But it is a start.

By Paul Kinlan, at Sunday, May 29, 2005 1:10:00 PM