ASP.NET ValidateRequest Is Globally Disabled
Description
The ASP.NET ValidateRequest feature has been disabled globally in the web.config file for this application. ValidateRequest is a built-in security mechanism that automatically inspects incoming HTTP requests (including query strings, cookies, and form fields) for potentially malicious content such as HTML markup and script tags. When enabled, it blocks requests containing suspicious patterns and throws an HttpRequestValidationException, providing a first line of defense against cross-site scripting (XSS) attacks. Disabling this protection globally across the entire application significantly increases the attack surface for XSS vulnerabilities.
Remediation
Enable ValidateRequest globally by removing or modifying the configuration in web.config, and only disable it selectively on specific pages that legitimately require HTML input. Follow these steps:
1. In web.config, ensure ValidateRequest is enabled globally (this is the default):
<system.web> <pages validateRequest="true" /> </system.web>2. For individual pages that require HTML input (such as rich text editors), disable ValidateRequest only on those specific pages:
<%@ Page ValidateRequest="false" %>3. On pages where ValidateRequest is disabled, implement strict input validation using an allowlist approach. Use a proven HTML sanitization library such as Microsoft's AntiXSS Library or HtmlSanitizer to filter input and allow only safe HTML tags and attributes:
// Example using HtmlSanitizer
var sanitizer = new HtmlSanitizer();
sanitizer.AllowedTags.Clear();
sanitizer.AllowedTags.Add("b");
sanitizer.AllowedTags.Add("i");
sanitizer.AllowedTags.Add("p");
sanitizer.AllowedTags.Add("br");
string cleanHtml = sanitizer.Sanitize(userInput);4. Always encode output when rendering user-supplied content using appropriate encoding methods (HtmlEncode, JavaScriptEncode, UrlEncode) based on the context where the data is displayed.