asmx skips request validation when receive post from jQuery.ajax with dataType: "json"

Question

I have an ASP.NET Web Service (asmx) function with string parameters. The built in request validation should catch HTML tags and it works when using the auto generated localhost test page or with jQuery's ajax/post if dataType is not set to json (ValidateRequest="true").

With dataType:"json" HttpRequestValidationException is not triggered:

$.ajax({
    type: "POST",
    url: "/my.asmx/SetName",
    data: '{"name":"' + $("#name").val() + '"}',
    contentType: "application/json; charset=utf-8",
    dataType: "json",
    async: false
});

If I remove contentType and dataType I get the expected HttpRequestValidationException.

This leaves my ws vulnerable. Unfortunately WCF is not an option.

LostInComputer · Answer 1 · 2013-11-27T05:15:31.490

0

This is by design. Only HttpRequest's Path, PathInfo, RawUrl, Cookies, Form, QueryString and File are validated. Headers may also be validated of you use a custom request validator.

The reason why request validation is done when you remove contentType is because JQuery defaults it to application/x-www-form-urlencoded which is a form post (HttpRequest.Form)

edited Nov 27 '13 at 05:15

answered Nov 27 '13 at 03:51

LostInComputer

15,188
4
41
49

asmx skips request validation when receive post from jQuery.ajax with dataType: "json"

1 Answers1