AccessSettings.UriValidated Event
Allows you to override built-in URL validation and/or implement additional application-specific URL policies.
Namespace: DevExpress.Security.Resources
Assembly: DevExpress.Data.v25.1.dll
NuGet Package: DevExpress.Data
Declaration
Event Data
The UriValidated event's data class is AccessSettings.UriValidatedEventArgs. The following properties provide information specific to this event:
| Property | Description |
|---|---|
| Uri |
Gets the parsed and normalized Uri instance created from UriString.
|
| UriString | Gets the original URI string. |
| Valid | |
| ValidationContext | Gets the context that identifies the source or purpose of the validation. |
Remarks
DevExpress Reports and BI Dashboard automatically validate and sanitize all external URLs used within a report document or dashboard control. URL validation helps protect your application against cross-site scripting (XSS), server-side request forgery (SSRF), phishing, and similar URL-based attacks.
The DevExpress URL validation engine checks all URLs before they are processed, displayed, or used for data access. It applies multi-layered protection against malicious or malformed input by verifying each URL and blocking unsafe schemes, malformed data, deceptive characters, and private network targets.
Hyperlinks, images, and data connections that reference external URLs are validated as follows:
- Safe URLs (for example, https://example.com) are rendered as active links.
- Invalid or unsafe URLs are displayed as plain text.
- Validation silently blocks unsafe URLs without raising exceptions.
Handle the UriValidated event to override built-in URL validation and/or implement additional application-specific URL policies.
void Application_Start(object sender, EventArgs e) {
// Restrict data source access.
AccessSettings.DataResources.TrySetRules(
DirectoryAccessRule.Allow(Server.MapPath("~/App_Data/")),
UrlAccessRule.Allow("https://trustedsource.com/")
);
// Apply custom validation rules (exact domain or subdomains only).
// Log rejected and explicitly approved URLs.
AccessSettings.UriValidated += (s, e) => {
var uri = e.Uri;
if (uri == null)
return;
bool initiallyValid = e.Valid;
var host = uri.Host;
if (host.Equals("trustedsource.com", StringComparison.OrdinalIgnoreCase) ||
host.EndsWith(".trustedsource.com", StringComparison.OrdinalIgnoreCase)) {
e.Valid = true;
}
if (!initiallyValid && e.Valid) {
Log.Info($"URL override accepted: {uri}");
} else if (initiallyValid && !e.Valid) {
Log.Warn($"URL override blocked: {uri}");
} else if (!e.Valid) {
Log.Info($"URL rejected (built-in): {uri}");
}
};
}
See the following help topic for more information: Safe URL Validation.