From 637eb3a7310cf10b6e36d4d82c2a9ab7677e6956 Mon Sep 17 00:00:00 2001 From: Hong Li Date: Wed, 21 Mar 2018 12:28:50 -0700 Subject: [PATCH] re-add ASPNET472CompatDoc (#668) * re-add ASPNET472CompatDoc * Minor edits, added links. * Minor changes, added links. * Changed targeted version, removed reverted section --- .../compatibility/aspnet-472-compat-doc.md | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 Documentation/compatibility/aspnet-472-compat-doc.md diff --git a/Documentation/compatibility/aspnet-472-compat-doc.md b/Documentation/compatibility/aspnet-472-compat-doc.md new file mode 100644 index 0000000..9271bd7 --- /dev/null +++ b/Documentation/compatibility/aspnet-472-compat-doc.md @@ -0,0 +1,29 @@ +## "dataAnnotations:dataTypeAttribute:disableRegEx" app setting is on by default in .NET Framework 4.7.2 + +### Scope +Minor + +### Version Introduced +4.6.2 + +### Change Description +In .NET Framework 4.6.1, an app setting (`"dataAnnotations:dataTypeAttribute:disableRegEx"`) was introduced that allows users to disable the use of regular expressions in data type attributes (such as , , and ). This helps to reduce security vulnerability such as avoiding the possibility of a Denial of Service attack using specific regular expressions.
+ +In .NET Framework 4.6.1, this app setting to disable RegEx usage was set to `false` by default. Staring with .NET Framework 4.7.2, this config switch is set to `true` by default to further reduce secure vulnerability for web applications that target .NET Framework 4.7.2 and above. + + +### Recommended Action +If you find that regular expressions in your web application do not work after upgrading to .NET Framework 4.7.2, you can update the value of the `"dataAnnotations:dataTypeAttribute:disableRegEx"` setting to `false` to revert to the previous behavior. + +```xml + + + ... + + ... + + +``` + +### Category +Web Application