I don't know if this qualifies as evil, stupid, both, or neither, but here's a story.
So, what to do? Using Lutz's Reflector, Anakrino, and ILDASM I "examined" System.Web.CrossSiteScriptingValidation, HttpValidationException and others, and back-ported the equivalent to ASP.NET @Page Directive "validateInput = true" into an custom validateInput HttpModule. I hook PreRequestHandlerExecute and quite happily detect scripting attacks in ASP.NET 1.0.
Again, may be evil, but felt so good. When the site is upgraded to ASP.NET 1.1 later this year I'll just remove this line from the Web.config:
A couple of interesting questions came up, one of which was...
A while loop is expanded when compiling IL, and the C# equivalent is something like this:
or just leave well-enough (and well-equivalent) alone? Remembering that this is a so very temporary and marginally not cool thing to do, perhaps it's best to let sleeping dogs lie.
Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. I am a failed stand-up comic, a cornrower, and a book author.
Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.