Home/ Questions/Q 8999745
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-16T00:13:15+00:00

.NET 4.0 VS 2012 IIS 7 I have an app that takes in email

  • 0

.NET 4.0
VS 2012
IIS 7

I have an app that takes in email addresses on various pages, and I’m finding that users are copy/pasting directly into a few inputs and it’s triggering the error mentioned in the title, here’s an example.

"blah blah" <blah@blah.com>

Obviously the brackets are triggering the problem. I realize I can simply switch the validation to 2.0, but I would prefer not doing that, so here are my question(s).

  • Is there a way to have the runtime react better? When this is encountered, instead of throwing up an uber scary page it treats it as an input error and displays a message to the user (in the general case) For example, in scenario I’m speaking of, I could display an error message about < and > not being allowed in email addresses. I like the protection, but I dislike the idea that the ‘oops’ page is shown everytime someone enters input that’s potentially dangerous.

  • If I were to relax the validation:

    • Can I do it on a per page basis? I don’t believe so, but I’m asking for completeness
    • What tools does ASP.NET give me to protect myself against these types of issues manually? I really don’t want to get into the game of writing stuff to look over the input for potentially dangerous things.
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You can relax your validation on a per page basis by putting ValidateRequest=”false” in the page heading.

    You can then use a regular expression to validate the email address, like this:

    <asp:RegularExpressionValidator ID="RegularExpressionValidator1" runat="server"
ControlToValidate="Email" ErrorMessage="Enter a valid e-mail address" 
ValidationExpression="\w+([-+.']\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*" />

    For other controls you could use the regular expression “^[^<>]+$” to check for angle brackets. In reality, you don’t need to worry about “potentially dangerous” user input unless you’re outputting it to the client (HTML / JavaScript), or you’re including it in an SQL statement.

    Alternatively, you could try to write a page level error handler in your page or an application level error handler in Global.asax.

    Page level error handling: http://msdn.microsoft.com/en-us/library/ed577840(v=vs.100).aspx

    Application level error handling:
    http://msdn.microsoft.com/en-us/library/24395wz3(v=vs.100).aspx

    This page gives some useful info about disabling request validation in ASP.NET:
    http://msdn.microsoft.com/en-us/library/hh882339(v=vs.100).aspx

    • 0