xtrareports-405611-safe-url-validation.md
DevExpress Reports automatically validates and sanitizes all external URLs used within a report document. URL validation helps protect your application against cross-site scripting (XSS), server-side request forgery (SSRF), phishing, and similar URL-based attacks.
The DevExpress URL validation engine analyzes all URLs before they are processed, displayed, or executed. It applies multi-layered protection against malicious or malformed input by validating each URL and blocking unsafe schemes, malformed data, deceptive characters, and private network targets.
Validation behavior depends on the application platform.
In desktop reporting applications, hyperlinks and other actions that initiate process execution are validated according to DevExpress Safe URL Validation policy.
Validation is performed as follows:
In web reporting applications, hyperlinks, images, and data connections that reference external URLs are validated as follows:
Note
Invalid or blocked URLs are rendered as inert plain text. They are not fetched, dereferenced, or executed.
The following table summarizes security checks executed during URL validation and describes how each mitigates potential threats:
| Security Check | Mitigation | Result |
|---|---|---|
| URI Scheme Restriction | Allows only http, https, and mailto. Blocks file:, data:, javascript:, vbscript:, chrome:, OS-specific handlers, and other unsafe schemes. | Blocks arbitrary code execution and local file access. |
| Control Character and Unicode Sanitization | Removes ASCII control characters, DEL, C1, bidirectional/formatting marks (U+200E/U+200F/U+202A–U+202E/U+2066–U+2069), backslashes, and query-like fragments. | Prevents spoofing, visual deception, and text obfuscation. |
| CRLF Injection Prevention | Rejects carriage return (\r) and line feed (\n) in query strings for http, https, and mailto URIs. | Prevents HTTP header smuggling and SMTP injection. |
| Embedded Credential Blocking | Blocks URLs containing embedded credentials (for example, https://user:pass@host). | Prevents credential exposure and phishing attacks. |
| SSRF Protection | Blocks access to localhost, loopback, private IPv4 (10/8, 172.16-31/12, 192.168/16), link-local (169.254/16), and unique local IPv6 (fc00::/7) addresses. | Protects internal services and cloud metadata endpoints. |
| Host & IDN Validation | Enforces valid, normalized host names and verifies proper IDN encoding. | Mitigates spoofing through mixed-script or malformed host names. |
| Port Range Enforcement | Allows only ports within a valid range (1–65535). | Blocks malformed or out-of-range port exploits. |
| Fragment Sanitization | Limits fragment size (≤512 characters). Blocks control characters, invalid % sequences, and double-encoding patterns (for example, %252F). | Prevents hidden payload smuggling through URL fragments. |
| URL Length Restriction | Enforces a 2048-character maximum. | Prevents parser overflow and memory abuse. |
| mailto: URI Validation | Validates email syntax and query parameters. Limits query size (≤512 characters). Blocks CR/LF characters and private/loopback hosts. | Prevents SMTP header injection, spoofed recipients, and abuse payloads. |
| Relative URI Validation | For relative URIs, rejects CR/LF characters. | Enables safe intra-application navigation and prevents line injection. |
| Canonical URI Normalization | Uses Uri.GetComponents(..., UriFormat.UriEscaped) for canonical form extraction. | Eliminates ambiguity and enforces consistent URI representation. |
Handle the AccessSettings.UriValidated event to override built-in validation and/or implement additional application-specific URL policies.
The following code snippet allows URLs hosted on a specific trusted domain:
AccessSettings.UriValidated += (s, e) => {
var uri = e.Uri;
if (uri == null)
return;
// Restrict to HTTPS only.
if (uri.Scheme != Uri.UriSchemeHttps)
return;
// Allow exact domain or its subdomains.
var host = uri.Host;
if (host.Equals("trustedsource.com", StringComparison.OrdinalIgnoreCase) ||
host.EndsWith(".trustedsource.com", StringComparison.OrdinalIgnoreCase)) {
e.Valid = true;
}
};
To restrict custom validation logic to Reporting controls, check whether ValidationContext is a ReportUriValidationContext:
AccessSettings.UriValidated += (s, e) => {
if (e.ValidationContext is ReportUriValidationContext) {
// ...
}
}
void Application_Start(object sender, EventArgs e) {
// Restrict data source access.
AccessSettings.DataResources.SetRules(
DirectoryAccessRule.Allow(Server.MapPath("~/App_Data/")),
UrlAccessRule.Allow("https://trustedsource.com/")
);
// Apply custom validation rules (exact domain or subdomains only).
// Log rejected and explicitly approved URLs.
AccessSettings.UriValidated += (s, e) => {
var uri = e.Uri;
if (uri == null)
return;
bool initiallyValid = e.Valid;
var host = uri.Host;
if (host.Equals("trustedsource.com", StringComparison.OrdinalIgnoreCase) ||
host.EndsWith(".trustedsource.com", StringComparison.OrdinalIgnoreCase)) {
e.Valid = true;
}
if (!initiallyValid && e.Valid) {
Log.Info($"URL override accepted: {uri}");
} else if (initiallyValid && !e.Valid) {
Log.Warn($"URL override blocked: {uri}");
} else if (!e.Valid) {
Log.Info($"URL rejected (built-in): {uri}");
}
};
}
Warning
Ensure that logs do not contain sensitive information/tokens embedded in query strings.
Even with built-in protection, we recommend that you reinforce security through configuration and controlled access:
Restrict data source access with AccessSettings.DataResources.
Limit reports to approved folders or trusted web domains.
Disallow unsafe or unnecessary URI schemes (enable additional schemes only when absolutely required).
Handle the AccessSettings.UriValidated event to implement organization-specific logic such as:
Monitor audit logs for rejected or suspicious URLs to detect attempted attacks or configuration issues.
See Also