Constrain, Then Sanitize

From Guidance Share

Jump to: navigation, search

- J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan

Start by constraining input and check for known good data by validating for type, length, format, and range. Sometimes you also need to sanitize input and make potentially malicious input safe. For example, if your application supports free-format input fields, such as comment fields, you might want to permit certain "safe" HTML elements, such as bold and italic and strip out any other HTML elements. The following table summarizes the options that are available for constraining and sanitizing data:

Table Options for Constraining and Sanitizing Data

Requirement Options
Type checks .NET Framework type system. Parse string data, convert to a strong type, and then handle FormatExceptions, Regular expressions, Use ASP.NET RegularExpressionValidator control or Regex class.
Length checks Regular expressions, String.Length property
Format checks Regular expressions for pattern matching .NET Framework type system
Range checks ASP.NET RangeValidator control (supports currency, date, integer, double, and string data), Typed data comparisons


Personal tools