1 //------------------------------------------------------------------------------
2 // <copyright file="RequestValidator.cs" company="Microsoft">
3 // Copyright (c) Microsoft Corporation. All rights reserved.
5 //------------------------------------------------------------------------------
8 * Base class providing extensibility hooks for custom request validation
10 * Copyright (c) 2009 Microsoft Corporation
13 namespace System.Web.Util {
15 using System.Diagnostics.CodeAnalysis;
16 using System.Threading;
18 using System.Web.Configuration;
20 public class RequestValidator {
22 private static RequestValidator _customValidator;
24 private static readonly Lazy<RequestValidator> _customValidatorResolver =
25 new Lazy<RequestValidator>(GetCustomValidatorFromConfig);
27 public static RequestValidator Current {
29 if (_customValidator == null) {
30 _customValidator = _customValidatorResolver.Value;
32 return _customValidator;
36 throw new ArgumentNullException("value");
38 _customValidator = value;
42 private static RequestValidator GetCustomValidatorFromConfig() {
43 // App since this is static per AppDomain
44 RuntimeConfig config = RuntimeConfig.GetAppConfig();
45 HttpRuntimeSection runtimeSection = config.HttpRuntime;
46 string validatorTypeName = runtimeSection.RequestValidationType;
49 Type validatorType = ConfigUtil.GetType(validatorTypeName, "requestValidationType", runtimeSection);
50 ConfigUtil.CheckBaseType(typeof(RequestValidator) /* expectedBaseType */, validatorType, "requestValidationType", runtimeSection);
53 RequestValidator validator = (RequestValidator)HttpRuntime.CreatePublicInstance(validatorType);
57 internal static void InitializeOnFirstRequest() {
58 // instantiate the validator if it hasn't already been created
59 RequestValidator validator = _customValidatorResolver.Value;
62 // Public entry point to the IsValidRequestString method. That method shipped protected, and making it public would
63 // unfortunately be a breaking change. Having a public entry point allows third parties to write wrapper classes
64 // around RequestValidator instances.
65 [SuppressMessage("Microsoft.Design", "CA1021:AvoidOutParameters",
66 Justification = "This is an appropriate way to return multiple pieces of data.")]
67 public bool InvokeIsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex) {
68 return IsValidRequestString(context, value, requestValidationSource, collectionKey, out validationFailureIndex);
71 private static bool IsAtoZ(char c) {
72 return (c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z');
75 [SuppressMessage("Microsoft.Design", "CA1021:AvoidOutParameters",
76 Justification = "This is an appropriate way to return multiple pieces of data.")]
77 protected internal virtual bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex) {
78 if (requestValidationSource == RequestValidationSource.Headers) {
79 validationFailureIndex = 0;
80 return true; // Ignore Headers collection in the default implementation
82 return !CrossSiteScriptingValidation.IsDangerousString(value, out validationFailureIndex);