Pages

Cross Site Scripting : Validating Query string parameters string

1. We need to validate the request by setting the ValidateRequest="true" on the @ Pages element.

2. We need to take care while using query string parameter. We need to cast the query string value to the respective data type to avoid this. Please check the below code snippet to avoid this. This will help us to check whether user end is manipulating something in the URL, if so then we cannot create a new GUID the catch block will be executed and generic error message will display. the same logic can be applied for any data type.
try
{
string Key = Request.QueryString["e"];
Guid ErrorGUID = new Guid(Key);
lblError.Text = string.Format("Please provide the following error code {0}.", ErrorGUID.ToString();
}
catch ()
{
//handle exceptions accordingy
}