If you need to validate operations that do not accept message or data contracts, use parameter inspectors.Parameter inspectors provide a convenient mechanism to process service method invocations when they are in a parameterized form.However, even those types of fields can be validated to some degree.
Developing regular expressions can be complicated, and is well beyond the scope of this cheat sheet.
There are lots of resources on the internet about how to write regular expressions, including: and the OWASP Validation Regex Repository.
These are covered in output encoding and related cheat sheets.
It is always recommended to prevent attacks as early as possible in the processing of the user’s (attacker's) request.
Parameter inspectors allow pre- and post-processing of messages through the use of custom validators.
Unlike using a schema for validation, a custom validator requires you to write your own custom validation code.
If the input field comes from a fixed set of options, like a drop down list or radio buttons, then the input needs to match exactly one of the values offered to the user in the first place.
The most difficult fields to validate are so called 'free text' fields, like blog entries.
Please note, email addresses should be considered to be public data.