RequestValidator.IsValidRequestString Method


Validates a string that contains HTTP request data.

protected public:
 virtual bool IsValidRequestString(System::Web::HttpContext ^ context, System::String ^ value, System::Web::Util::RequestValidationSource requestValidationSource, System::String ^ collectionKey, [Runtime::InteropServices::Out] int % validationFailureIndex);
protected internal virtual bool IsValidRequestString (System.Web.HttpContext context, string value, System.Web.Util.RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex);
abstract member IsValidRequestString : System.Web.HttpContext * string * System.Web.Util.RequestValidationSource * string * int -> bool
override this.IsValidRequestString : System.Web.HttpContext * string * System.Web.Util.RequestValidationSource * string * int -> bool
Protected Friend Overridable Function IsValidRequestString (context As HttpContext, value As String, requestValidationSource As RequestValidationSource, collectionKey As String, ByRef validationFailureIndex As Integer) As Boolean



The context of the current request.


The HTTP request data to validate.


An enumeration that represents the source of request data that is being validated. The following are possible values for the enumeration:

  • QueryString
  • Form
  • Cookies
  • Files
  • RawUrl
  • Path
  • PathInfo
  • Headers.

The key in the request collection of the item to validate. This parameter is optional. This parameter is used if the data to validate is obtained from a collection. If the data to validate is not from a collection, collectionKey can be null.


When this method returns, indicates the zero-based starting point of the problematic or invalid text in the request collection. This parameter is passed uninitialized.



true if the string to be validated is valid; otherwise, false.


You implement this method to perform custom validation of request data. The base behavior of the IsValidRequestString(HttpContext, String, RequestValidationSource, String, Int32) method is like the behavior that ASP.NET implements internally to check for dangerous strings in cross-site scripting validation. For more information, see How To: Prevent Cross-Site Scripting in ASP.NET.

If custom validation logic detects an error, this method should return false and provide a value in validationFailureIndex to indicate the starting point of the text that caused the error. The value in validationFailureIndex must be 0 or a positive integer.

The logic in a request validation check proceeds as follows:

Applies to