Validation checking in the web client

When you attempt to save an object that is missing required data, those fields are highlighted. A message dialog or tooltip lists the fields that are missing data.

Validation on the web client has been set to a default of .NET version 2.0. Users can specify any kind of string in text fields and boxes. This includes the strings that .NET 4.0 normally consider insecure, such as the strings that are formatted like html tags.

To apply .NET 4.0 validation to your environment, follow these steps. Switch to Security Mode 4.0 only if you are going to expose Optiva outside of your firewall.

  1. Open the Web.config file.
    Optiva: \inetpub\wwwroot\FsOptivaWeb\Web.config
  2. Find this code: 
    
<httpRuntime executionTimeout="2600000" requestValidationMode="2.0" 
maxRequestLength="12096" useFullyQualifiedRedirectUrl="false" 
minFreeThreads="8" minLocalRequestFreeThreads="4" 
appRequestQueueLimit="100" />
  3. Change requestValidationMode="2.0" to requestValidationMode="4.0" as shown here. 
    
<httpRuntime executionTimeout="2600000" requestValidationMode="4.0" 
maxRequestLength="12096" useFullyQualifiedRedirectUrl="false" 
minFreeThreads="8" minLocalRequestFreeThreads="4" 
appRequestQueueLimit="100" />
  4. Un-comment this code in the Web.config file. This ensures that the validation is applied to script objects. 
    
<!--<location path="Core/FsFrmAction.aspx"> 
      <system.web>
          <httpRuntime requestValidationMode="2.0" />
     </system.web>
</location>
<location path="Core/FsFrmCopyMethod.aspx">
    <system.web>
        <httpRuntime requestValidationMode="2.0" />
    </system.web>
</location>
<location path="Core/FsFrmEquation.aspx">
    <system.web>
        <httpRuntime requestValidationMode="2.0" />
    </system.web>
</location>
<location path="Core/FsFrmScriptLibrary.aspx">
    <system.web>
        <httpRuntime requestValidationMode="2.0" />
   </system.web>
</location>
<location path="Core/FsFrmSymbol.aspx">
    <system.web>
         <httpRuntime requestValidationMode="2.0" />
   </system.web>
</location>-->

    With the un-commented block of code, the web client forms that have script fields are not validated. They are not checked for “dangerous” strings.