Safe URL Validation
- 4 minutes to read
DevExpress Reports automatically validates and sanitizes all external URLs used within a report document. URL validation helps protect your application against cross-site scripting (XSS), server-side request forgery (SSRF), phishing, and similar URL-based attacks.
Automatic URL Validation
The DevExpress URL validation engine checks all URLs before they are processed, displayed, or used for data access. It applies multi-layered protection against malicious or malformed input by verifying each URL and blocking unsafe schemes, malformed data, deceptive characters, and private network targets.
Hyperlinks, images, and data connections that reference external URLs are validated as follows:
- Safe URLs (for example, https://example.com) are rendered as active links.
- Invalid or unsafe URLs are displayed as plain text.
- Validation silently blocks unsafe URLs without raising exceptions.
The following table summarizes security checks executed during URL validation and describes how each mitigates potential threats:
| Security Check | Mitigation | Result |
|---|---|---|
| URI Scheme Restriction | Allows only http, https, and mailto. Blocks file:, data:, javascript:, vbscript:, chrome:, OS-specific handlers, and other unsafe schemes. |
Blocks arbitrary code execution and local file access. |
| Control Character and Unicode Sanitization | Removes ASCII control characters, DEL, C1, bidirectional/formatting marks (U+200E/U+200F/U+202A–U+202E/U+2066–U+2069), and backslashes. | Prevents spoofing, visual deception, and text obfuscation. |
| CRLF Injection Prevention | Rejects carriage return (\r) and line feed (\n) in query strings for http, https, and mailto URIs. |
Prevents HTTP header smuggling and SMTP injection. |
| Embedded Credential Blocking | Blocks URLs containing embedded credentials (for example, https://user:pass@host). |
Prevents credential exposure and phishing attacks. |
| SSRF Protection | Blocks access to localhost, loopback, private IPv4 (10/8, 172.16-31/12, 192.168/16), link-local (169.254/16), and unique local IPv6 (fc00::/7) addresses. |
Protects internal services and cloud metadata endpoints. |
| Host & IDN Validation | Enforces valid, normalized host names and verifies proper IDN encoding. | Mitigates spoofing through mixed-script or malformed host names. |
| Port Range Enforcement | Allows only ports within a valid range (1–65535). |
Blocks malformed or out-of-range port exploits. |
| Fragment Sanitization | Limits fragment size (≤512 characters). Blocks control characters, invalid % sequences, and double-encoding patterns (for example, %252F). |
Prevents hidden payload smuggling through URL fragments. |
| URL Length Restriction | Enforces a 2048-character maximum. | Prevents parser overflow and memory abuse. |
| mailto: URI Validation | Validates email syntax and query parameters. Limits query size (≤512 characters). Blocks CR/LF characters and private/loopback hosts. |
Prevents SMTP header injection, spoofed recipients, and abuse payloads. |
| Relative URI Validation | For relative URIs, rejects CR/LF characters. |
Enables safe intra-application navigation and prevents line injection. |
| Canonical URI Normalization | Uses Uri.GetComponents(..., UriFormat.UriEscaped) for canonical form extraction. |
Eliminates ambiguity and enforces consistent URI representation. |
Note
Invalid or blocked URLs are rendered as inert plain text. They are not fetched, dereferenced, or executed.
Custom URL Validation
Handle the AccessSettings.UriValidated event to override built-in validation and/or implement additional application-specific URL policies.
The following code snippet allows URLs hosted on a specific trusted domain:
AccessSettings.UriValidated += (s, e) => {
var uri = e.Uri;
if (uri == null)
return;
// Restrict to HTTPS only.
if (uri.Scheme != Uri.UriSchemeHttps)
return;
// Allow exact domain or its subdomains.
var host = uri.Host;
if (host.Equals("trustedsource.com", StringComparison.OrdinalIgnoreCase) ||
host.EndsWith(".trustedsource.com", StringComparison.OrdinalIgnoreCase)) {
e.Valid = true;
}
};
Example: Startup Configuration
void Application_Start(object sender, EventArgs e) {
// Restrict data source access.
AccessSettings.DataResources.TrySetRules(
DirectoryAccessRule.Allow(Server.MapPath("~/App_Data/")),
UrlAccessRule.Allow("https://trustedsource.com/")
);
// Apply custom validation rules (exact domain or subdomains only).
// Log rejected and explicitly approved URLs.
AccessSettings.UriValidated += (s, e) => {
var uri = e.Uri;
if (uri == null)
return;
bool initiallyValid = e.Valid;
var host = uri.Host;
if (host.Equals("trustedsource.com", StringComparison.OrdinalIgnoreCase) ||
host.EndsWith(".trustedsource.com", StringComparison.OrdinalIgnoreCase)) {
e.Valid = true;
}
if (!initiallyValid && e.Valid) {
Log.Info($"URL override accepted: {uri}");
} else if (initiallyValid && !e.Valid) {
Log.Warn($"URL override blocked: {uri}");
} else if (!e.Valid) {
Log.Info($"URL rejected (built-in): {uri}");
}
};
}
Warning
Ensure that logs do not contain sensitive information/tokens embedded in query strings.
Security Best Practices
Even with built-in protection, we recommend that you reinforce security through configuration and controlled access:
- Restrict data source access with
AccessSettings.DataResources. - Limit reports to approved folders or trusted web domains.
- Disallow unsafe or unnecessary URI schemes (enable additional schemes only when absolutely required).
- Handle the AccessSettings.UriValidated event to implement organization-specific logic such as:
- Whitelisting: Restrict URLs to corporate or otherwise trusted domains.
- Audit logging: Record timestamp, original URL, and validation decisions.
- Monitor audit logs for rejected or suspicious URLs to detect attempted attacks or configuration issues.