Lazy Request Validation in ASPDotNET 4.5 and AntiXSS

October 16, 2012 .NET, .NET Framework, All, ASP.NET, ASP.NET 4.5, ASP.NET MVC, CodeSnippets, KnowledgeBase, Microsoft, Recommends, VisualStudio, VS2012, Web No comments

Lazy Request Validation is an interesting feature included as part of .NET Framework 4.5 and ASP.NET 4.5. By default all request data is subject to request validation. However, you can configure the application to defer request validation until you actually access request data.

You can configure the application to use deferred validation in the Web.config file by setting the requestValidationMode attribute to 4.5 in the httpRUntime element, as in the following example:

<p><font color="#c0504d"></font>&#160;</p><p><font color="#c0504d">&lt;httpRuntime requestValidationMode=&quot;4.5&quot; ... /&gt;</font></p><p><font color="#c0504d"></font>&#160;</p>
  • When request validation mode is set to 4.5, request validation is triggered only for a specific request value and only when your code accesses that value.
  • For example, if your code gets the value of Request.Form["forum_post"], request validation is invoked only for that element in the form collection. None of the other elements in the Form collection are validated.
  • Earlier versions of ASP.NET, request validation was triggered for the entire request collection when any element in the collection was accessed.

But the above setting will not solve the problem of avoiding request validation while reading form values using Request.Form, Request.QueryString etc.  By default all the calls to Request.Form, Request.QueryString, Request.Cookies, Request.Url are validated.

To programmatically read the non validated form, querystring  values, you have to use the new HttpRequest.Unvalidated property  in to read the unvalidated form value. Unvalidated is a collection property inside HttpRequest class which will access to all of the common values of request data, like Form, QueryString, Cookies, and Url.
An example on how to use Unvalidated property:

<p><font color="#c0504d"></font>&#160;</p><p><font color="#c0504d">context.Request.Unvalidated.Form[“forum_post”]</font>   </p><p>//this will give you access in reading the form values without triggering request validation like in Request.Form</p><p>&#160;</p>

AntiXSS Feature

Another interesting addition to Request Validation process is that now ASP.NET runtime is now integrated with famous Microsoft AntiXSS Library. ASP.NET 4.5 now incorporates core encoding routines from version 4.0 of Microsoft AntiXSS library.

The encoding routines are implemented by the AntiXssEncoder type in the new System.Web.Security.AntiXss namespace.

You can use the AntiXssEncoder type directly by calling any of the static encoding methods that are implemented in the type.

Easiest implementation would be using the new anti-XSS routines is to configure an ASP.NET application to use the AntiXssEncoder class by default.

Enable it by add the following attribute to the Web.config file:

<p><font color="#c0504d"></font>&#160;</p><p><font color="#c0504d">&lt;httpRuntime ...<br />&#160; encoderType=&quot;System.Web.Security.AntiXss.AntiXssEncoder,System.Web, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a&quot; /&gt;</font></p><p><font color="#c0504d"></font>&#160;</p>

When the encoderType attribute is set to use the AntiXssEncoder type, all output encoding in ASP.NET automatically uses the new encoding routines.


Below are different other Microsoft AntiXSS library v4.0 features that have been incorporated into ASP.NET 4.5:

  • HtmlEncode, HtmlFormUrlEncode, and HtmlAttributeEncode
  • XmlAttributeEncode and XmlEncode
  • UrlEncode and UrlPathEncode (new)
  • CssEncode

For more references read MSDN Articles :

Request Validation in ASP.NET 4.5

New ASP.NET Request Validation Features (What’s New whitepaper)

Microsoft Anti-Cross Site Scripting Library V4.2

Zurker– a Social Network with Ownership

May 15, 2012 All, Announcements, MyStuff, Recommends, Social No comments

Zurker is a new social media site where you become an investor and earn shares. You can buy up to 500 shares(it is the limit) of Zurker and you will become an investor for this Social Network.

To make it simple – Zurker is a member owned application. Once you join Zurker, you becomes one of the owners of Zurker. Each of your friends join with your referral you will get 1 or 2 shares each.

This means Zurker isn’t owned by a select few venture capitalists who stand to make billions and billions. There is nothing wrong with the idea of venture capitalists making billions from tech investments, but in the case of a social network, the priorities get skewed.

Right now Zurker membership is based on Referrals. Give it a try?, If you want to join Zurker, use my referral link –

Read more about Zurker on

Enterprise Solution Patterns Using Microsoft .NET – Version 2.0

January 9, 2012 .NET, .NET Framework, All, Architectures, ASP.NET, Books I Like, Design Patterns, Enterprise Library, KnowledgeBase, Microsoft, Patterns&Practices, Recommends No comments

This is a little old document. But very useful for people who would like to learn more about “Enterprise Solution Patterns using Microsoft.NET” , by Microsoft Patterns & Practices

This document is very good for referencing for common solution patterns and provides little more focus on ASP.NET based Solution Pattterns.

Nice reference though!!.