Improving Web Application Security: Threats and - CGISecurity

Chapter 10: Building Secure ASP.NET Pages and Controls 275Validating Unicode CharactersUse the following code to validate Unicode characters in a page:using System.Text.RegularExpressions;. . .private void Page_Load(object sender, System.EventArgs e){// Name must contain between 1 and 40 alphanumeric characters// together with (optionally) special characters '`´ for names such// as D'Angeloif (!Regex.IsMatch(Request.Form["name"], @"^[\p{L}\p{Zs}\p{Lu}\p{Ll}]{1,40}$"))throw new ArgumentException("Invalid name parameter");// Use individual regular expressions to validate other parameters. . .}The following explains the regular expression shown in the preceding code:● {} specifies a named Unicode character class.●●●●●●●●●●\p{} matches any character in the named character class specified by{}.{L} performs a left-to-right match.{Lu} performs a match of uppercase.{Ll} performs a match of lowercase.{Zs} matches separator and space.{1,40} means no less that 1 and no more than 40 characters.{Mn} matches mark and non-spacing characters.{Zs} matches separator and space.* specifies zero or more matches.$ means stop looking at this position.Use the ASP.NET validateRequest OptionThe validateRequest attribute is a .NET Framework version 1.1 feature. This attributeis set to true by default on the element in Machine.config. It instructsASP.NET to examine all data received from the browser for potentially maliciousinput, for example, input that contains elements. ASP.NET examines inputreceived from HTML form fields, cookies, and query strings. .NET Frameworkversion 1.0 does not provide any equivalent functionality, but the IIS URLScanInternet Server Application Programming Interface (ISAPI) filter can perform asimilar job. You can also apply the setting to each page using the @ Page tag, asfollows: