A lot of web applications use RegularExpressionValidators for performing input validation [1]. Sometimes these validators are not implemented properly, which can lead to potential flaws. See if you can catch the flaw here:-
Code for Default.aspx:-
1: <%@ Page Language="C#" ValidateRequest="false" AutoEventWireup="true" CodeFile="Default2.aspx.cs" Inherits="Default2" %>
2: <html xmlns="http://www.w3.org/1999/xhtml" >
3: <body>
4: <form id="form1" runat="server">
5:
6: <asp:TextBox ID="txtName" runat="server"></asp:TextBox>
7: <asp:Button ID="btnSubmit" runat="server" Text="Submit" OnClick="btnSubmit_Click" />
8: <asp:RegularExpressionValidator ID="regexpName" runat="server"
9: ErrorMessage="This expression does not validate."
10: ControlToValidate="txtName"
11: ValidationExpression="^[a-zA-Z'.\s]{1,40}$" />
12:
13: </form>
14: </body>
15: </html>
Code behind Default.aspx.cs file:-
1: public partial class Default2 : System.Web.UI.Page
2: {
3: protected void Page_Load(object sender, EventArgs e)
4: {
6: }
7: protected void btnSubmit_Click(object sender, EventArgs e)
8: {
9: Response.Write("Welcome " + Request["txtName"]);
10: }
11: }
Reference:-
[1] How To: Use Regular Expressions to Constrain Input in ASP.NET http://msdn.microsoft.com/en-us/library/ms998267.aspx