The built in protection in ASP.Net 1.1 is broken.
The "ValidateInput()" method does not work. It ignores null characters and so does IE. So, all your 'ValidatePageInput="true"' does nothing. You are not safe.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaspp/html/scriptingprotection.asp
Write your own HTTPModule or buy mine.
No comments:
Post a Comment