Installation and deployment Questions on installation, system configuration and deployment to the live server.
Version 4.x > Installation and deployment > how do I use validateRequest=true? View modes: 
User avatar
Member
Member
KeithR - 7/30/2009 9:04:37 PM
   
how do I use validateRequest=true?
I am adding the cms to an existing asp.net site and I see you have request validation turned off sitewide. Why is it sitewide?

I don't want to add our own request validation, so can I just turn it off in the /CMSDesk folder by adding a web.config to said folder?

If I set it to true on the template .aspx pages, how will that affect the cms desk via the Page tab?

User avatar
Kentico Developer
Kentico Developer
kentico_helenag - 8/3/2009 7:00:51 AM
   
RE:how do I use validateRequest=true?
Hello,

I am not pretty sure why you need the request validation to be true.

If it is a question of security I can ensure you we do a lot of investigating on this issue and fix every potentially dangerous part of the system during development stage as well as later during testing stage. With every new version improvement in this area is done. We take security very serious here in the Kentico Software and do our best to prevent such issues from occurring. To avoid SQL Injection attacks we escape any part of the input text used for definition of SQL query parts as this is standard in prevention of this type of attacks. The data passed through the FCKEditor or editable region in general are saved in the database as the 'CDATA' so there is no possible way how to exploit this mechanism for SQL injection. We also use a wide range of stored procedures to improve the security model.

The true request validation can damage the FCKEditor functionality. I would recommend you not to enable it. If you have any concrete problem please let us know and we may find a workaround.

Best regards,
Helena Grulichova

User avatar
Member
Member
KeithR - 8/3/2009 1:10:26 PM
   
RE:how do I use validateRequest=true?
Hi Helena,

The issue I have is that I am integrating your CMS into an existing asp.net site that has lots of its own form input functionality, so I don't want to disabled the request validation used throughout the existing site.

I would think that this is a fairly common scenario, so can you tell me exactly what CMS operations would not work? In particular, would this affect the editing of content on the Page tab using <cms:CMSEditableRegion/> controls?

Thanks,
Keith

User avatar
Kentico Developer
Kentico Developer
kentico_helenag - 8/4/2009 5:45:34 AM
   
RE:how do I use validateRequest=true?
Hi Keith,

except for editable region controls, the FCKEditor is used in form control: HTML area (it could be in Document types, BizForms, System tables, Custom tables).
The validateRequest=true may affect editing of transformation and layout in CMSDesk, too.
If you would set up validateRequest=true for all the site except for CMSDesk, CMSSiteManager and CMSPages/PortalTemplate.aspx it should work correctly. But all Portal engine pages would not use the request validation - only your ASPX templates would work with your required validateRequest=true.

Best regards,
Helena Grulichova