Web Forms :: HttpRequestValidationException - Handling Cross Site Scripting (XSS)?
Oct 25, 2010
this exception is caused by entering scripts or disallowed text as "<script>", "<h1>" by the user. This exception will be thrown while processing the request.
After searching and trying, most of the solutions were to:
1- disable request validation in the page header (validateRequest="false") or in the pages section in web.config.
I dont see this is a solution, the XSS problem is still there, it just does not throw the exception.
2- To encode the text and decode it using Server.HtmlEncode and Server.HtmlDecode.
This is a good one, but have to go every single textbox and call this method (Server.Encode(txtAddress.Text)), but this require alot of effort to change the whole site, and some of them may be forgotten.
I was thinking of creating a new TextBox control (MyTextBox) to inherit from System.Web.UI.WebControls.TextBox and override the Text property, then Encode base.Text in the get accessor, and Decode base.Text in the set accessor.
This will also require to change the whole site, to use MyTextBox instead of TextBox.
I want to pull down a feed (like twitter) and place in on a page using javascript (jquery). Ultimately, the "service" just needs to hand off JSON. I created a web service that allows me to do that, sort of. I don't know if using a stream reader is all that efficient and I was a little bothered by having to use what amounts to 2 evals on the clientside.
My question is twofold: is there a better method than using a web service and two, is there a problem with my implementation?
We recently discovered that our web app was vulnerable to cross site scripting (XSS) attacks. We managed to manipulate our inputs to produce the following HTML:
[Code]....
Which executes an alert window when clicked.
After HTMLEncoding using the AntiXSS the web app successfully encodes the output to look like this: <a href="javascript:__doPostBack('ctl00$ContentPlaceHolder1$CtlSearchList1$CtlListView1$DataGrid1$ctl03$ctl00','')">'); onclick=alert('This is an XSS vulernability. An attacker could do anything here (redirect to another website, virus etc)');('.txt</a>
but the alert window still fires! What am I doing wrong?
where does following HTTP error message come from:
Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This web site does not allow Urls which might include embedded HTML tags.
We're using dynamically generated URLs and in this specific case the URL contains the characters '<' or '>'. We do URL encode the generated URL (so '%3C' appeary instead of '<') but it doesn't Our setup is ASP.NET MVC / IIS 7.5 / IE8. It's strange but it looks like the error appears only on some machines. So it could be that the IE internet zone settings are playing a role.
I have an interesting issue I have racked my brain trying to find a solution to.
I have a site with a single master page. Part of that master page is a text field and button. They are not part of a content placeholder, they are simply part of the master page, itself, and are intended to allow people to search the site from any page on the site.
So, all search requests are routed to a search.aspx page, regardless. I am doing this by setting the PostBackUrl attribute of the button control to "search.aspx".
This all works great, except when I try to use this search capability from the search.aspx page, itself. I figure this is because I am using the Page.PreviousPage object and since a postback from the search.aspx page, itself will result in the Page.PreviousPage being Nothing, it is not performing the proper action.
I am building a website, within a large intranet, that wraps and adds functionality to another site within the same intranet. I do not have access to the other site's source and they do not provide any api's for the functionality they provide. I need to, somehow, have my server-side code go to that site, fill in some forms, then press a submit button. Is this possible? If so, how can I accomplish this?
Note: I am working in asp.NET if that matters at all.
we host catalog data and UI for our clients. we do not build entire web site for them. so for the time being client puts an iframe and points URL to our hosting site. it was working fine but now just because of iframe they are lossing SEO.so my question is how to achieve my goal without iframe.
1) how can i embed/inject/merge UI hosted by US to our client web site. 2) Get SEO benefits
I need to make my site work well on a blackberry, i haven't put too much effort into getting this working yet, but i have a few questions which google is struggling with.I've read about detecting brower type and modifying the default behaviour of asp.net controls hereHow would I go about supplying a differant stylesheet to a specific browser, should i just do this?
This will work fine, but i feel like there is a better method, i'm sure i've read about something in the past but i can't seem to recall.I'm also considering a response.redirect to a differant page for a blackberry, which at the moment i would implemenet in a similar way.
My problem is that the realm is dependent on which domain the user accessed the website on so what I did is that I set it in an global action filter like this
var module = context.HttpContext.ApplicationInstance.Modules["WSFederationAuthenticationModule"] as WSFederationAuthenticationModule; module.Realm = "http://" + siteInfo.DomainName;
My question is. When I set the realm like this, is it set per user instance or application instance.
Scenario.
User A loads the page and the realm get set to domain.a.com.
User B is already logged in on domain.b.com and presses login.
Since user A loaded the page before User B pressed login, user A will hit the STS with the wrong realm set.
What will happen here?
If this is not the way to set the realm per user instance, is there another way to do it?
We have a GUI which runs on ASP.NET 2.0 framework (Client-Server model). From the support perspective how can one find whether the pages which are opening on GUI at any point of time is a server side scripting or Client side scripting.
The reason why I ask this is because I understand that some of the codes are executed by the browser such as Javascript. So, if there are such scripts which are handled by the client browser, how can one find out that it is the Client side scripting which is running at that moment.
Like many others, my web site now throws the following exception under .NET 4.0 where it used to behave perfectly well under .NET 2.0:
A potentially dangerous Request.Form value was detected from the client.I have added the following element to my web.config file:
<httpRuntime requestValidationMode="2.0" />
However, the error still appears. It is caused by the log-in and log-out buttons on my site, which are contained in a master-page. I think the reason might be because I make extensive use of hidden fields in my web pages, which the ASP.NET validation now complains about when the pages are posted back to the server after the buttons are pressed:
A potentially dangerous Request.Form value was detected from the client (ctl00$ctl00$mainContent_PH$mainContent_lCol_PH$hdnPageContent="...ssociation's Executive Com...").
(ctl00$ctl00$mainContent_PH$mainContent_lCol_PH$hdnPageContent is a hidden field containing large amounts of HTML.) The merits of this design are probably debatable; however, what I need now is a way of letting these buttons work whilst retaining some validation for the rest of the site (as I have always had up until now).
I have this piece of code to handle the HttpRequestValidationException in my global.asax.cs file.protected void Application_Error(object sender, EventArgs e)
Is there a way I can handle HttpRequestValidationException without turning off ValidateInput?
What I really want is all HTML posted from a form to be automatically encoded in the model unless a particular property has the AllowHtml attribute set.
If I have to turn off ValidateInput, then what happens to the rest of my model validation? Will it still be validated or do I need to explicitally check ModelState.IsValid?
I'm also catching the exception in a custom model binder class but every time I try to access the offending property from Request.Form, the exception gets thrown. Is there a way to get that value in the model binder?
I think I might have stumbled onto a bug in ASP.NET MVC 3 RC. When I setup my MVC2 project in a new MVC3 project, copy paste classes, code, change name spaces, etc, etc, I ran into an issue in the following, simplified for explanation purpose, scenario:
Model:
public class WineDetails { [SkipRequestValidation] [Required(ErrorMessage = "Beschrijving verplicht")] public string Description { get; set; } }
ViewModel:
public class ViewModelCreateWine { public MasterData MasterData { get; set; } public WineDetails WineDetails { get; set; } }
ActionMethod:
[AcceptVerbs(HttpVerbs.Post)] public ActionResult CreateWine(ViewModelCreateWine viewModelCreateWine) { GetMasterDataRegions(viewModelCreateWine); if (Request.Params.ToString().IndexOf("Save") > 0) { if (TryValidateModel(viewModelCreateWine.WineDetails)) { m_wineService.CreateWine(viewModelCreateWine.WineDetails); return RedirectToAction("index", "Admin"); } } return View(viewModelCreateWine); }
The ActionMethod "CreateWine" needs to call the "CreateWine" method in the WineService so that in the end a new Wine is added to the Database. So far it looks ok. As shown in the above code the [SkipRequestValidation] is set on the "Description" property of the WineDetails model so that the user can add Rich Text to the description and HTML elements are allowed during the Request validation. This works perfectly fine until the Params collection of the Request is accessed in the code to check if the Save button is clicked. When this line of code is trying to execute the following exception is thrown:
Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (ViewModelCreateWine.WineDetails.Description="<p>HTML Content with...").
The same exception is thrown when I put the [ValidateInput(false)] attribute on the action method. When I comment out the "if" statement and its content there is no issue and the model validation works just fine and skips the Request Validation on the Description property as expected.
In MVC2 the above code worked fine with the [ValidateInput(false)] attribute on the action method.As I said I'm not sure if this is a bug, it very well might be my own stupidity, but I thought it would be worth to mention here. So any feedback is more than welcome.
In the load event of a web user control I have the following code which I am using to call a function in order to populate a HTML Text Area.The page hosting the control loads fine the first time it loads but on postback it throws the error
Quote:System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client I have seen people suggest <%@ Page ... validateRequest="false" %>
Firstly I would like to handle this at control level rather than on the hosting page .
Code: if (!Page.ClientScript.IsStartupScriptRegistered("AddText")) { Page.ClientScript.RegisterStartupScript [code]....
I'm setting up a fairly complex gridview, and running into an issue with allowing some keyboard shortcuts to cause a submission postback. I'm hooking the onkeydown event on all of the editable elements within my gridview (in edit mode, as well as a separate-but-similar set of elements in the footer, used for row insertion), and calling the following function:
[Code]....
Here is the definition of LinkButton1, which is within a TemplateField in MasterGridView:
[Code]....
The gridview is not populated until after the user has made some input to the page, so I can't just refer directly to MasterGridView.SelectedRow.FindControl("LinkButton1").UniqueID for my eventTarget within the PostBackOptions (if I run this right now, it'll evaluate to "not initialized". But, I don't know how I could get it to recheck the value after the page has been created. There's gotta be a better way to make this work.
I've seen the <script type="text/C#> with intellisense.
If it is possible to script client side scripts in C#, some infomation or reference on how to do it. For example, do I need using statements, is the script compiled on the server.. etc.
I have a site created using .net and the ajaxcontroltoolkit. When some users log on they do not see the controls on the page. I can duplicate this if I disable active scripting in ie. The problem is that the users I have spoken with have active scripting enabled. I have had them navigate to a site that tests javascript and it passes. Has anyone experienced this problem? If so what was your solution?
The programmer is a C# ASp.NET Developer and is looking to learn his first scripting language. Unfortunately he never had to use it before. He is also looking for something that can be good for his career growth.