Hello I am working on xss validation ,I am trying to avoid script tags
I gave the validation in request filter like below
<add Url="" ValidateHeaders="true" ValidateBody="true" ValidateQueryString="true" BlockedTags="script" />
After when i am doing my dev test ,I have tested with below to tags
1.img tag
Output :- A potentially dangerous Request.Form value was detected from the client ().
script tag
output:- Forbidden Request (and system logout)
I am expecting to get A potentially dangerous Request.Form value was detected from the client ,When enter tag as well what can i do here ?
Related
I am implementing google login on my site.
Problem is that when google redirect me back to my site (after confirmation) I can't get access token from query string.
This is URL:
http://localhost/mysite/west/Default.aspx#state=/profile&access_token=ya29.qQDrtcVtgOEbS86Bg10puFG3dksJz74BlrEGulHldlJW2o5qQ6g7ilF17zQsm8iMLG0C82PQyp2Z-g&token_type=Bearer&expires_in=3600
I suspect that this #state=/profile make some issue but can't handle it.
Am I missing something?
If URL is like this , note that there is # after Default.aspx , it is not ?, then there is no direct way to get get querystring ( they are known as URL fragments not querystring), they are meant to be parse at client side and server side don't have access to URL Fragments.
http://localhost/mysite/west/Default.aspx#state=/profile&access_token=ya29.qQDrtcVtgOEbS86Bg10puFG3dksJz74BlrEGulHldlJW2o5qQ6g7ilF17zQsm8iMLG0C82PQyp2Z-g&token_type=Bearer&expires_in=3600
Link contains # ,means an anchor, a position, on a webpage. The browser sends a GET request to the server containing only the address of the entire page, with no anchor, fragment or whatever. When the server returns the page, the browser knows where to position it so the location of the anchor is visible. In clientside or Javascript it is possible as it has access to the anchor.
Read this - How to get Url Hash (#) from server side
You could use
document.URL to get the url.
Then split the url by #state=/profile&
Then the second part of the array split by &.
Then each section split by first =
There may be a more elegant solution but this should work.
while i'm using WWW in Unity3D(c#), i found ridiculous result.
www.text has error text not in www.error. so i can't check whether error occured.
if(!string.IsNullOrEmpty (www.error)) {
//handling error
//but www.error is null
}else{
//print www.text
Debug.Log(www.text);
}
[print console]
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>503 Service Temporarily Unavailable</title>
</head><body>
<h1>Service Temporarily Unavailable</h1>
<p>The server is temporarily unable to service your
request due to maintenance downtime or capacity
problems. Please try again later.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
</body></html>
does anybody has this experience? please help me..
Your check with IsNullOrEmpty looks fine to me. Never seen any whitespace there, only empty string or null.
Check what HTTP code is returned by the server. Stating in HTML that this is the error code not necessarily mean that the protocol error is the same. Some proxies or broken setups can cause this.
Get cURL and check the error code:
curl -v http://example.com/lipsum
and look for:
< HTTP/1.1 404 Not Found
or simmilar.
I am using the Add method of System.Net.CookieContainer. It has worked well over the years but suddenly I am getting:
Exception calling "Add" with "2" argument(s): "The
'Value'='321,386,%2F%3Fa%3D1,http%3A%2F%2Fwww.xxxx.com%2Fpremium%2Fmoney'
part of the cookie is invalid."
I was adding a cookie returned from a web page. The raw header from the web page is:
...
_chartbeat_uuniq=1;
_chartbeat5=321,386,%2F%3Fa%3D1,http%3A%2F%2Fwww.xxx.com%2Fpremium%2Fmoney;
gs_p_GSN-375009-Z=0;
...
What is wrong with the cookie value? Is it the comma?
You should encode the cookie value. The best way is by using UrlEncode. Check this out.
HttpServerUtility.UrlEncode
I've got a text area that contains HTML. I expect the content to be escaped when posted to the controller method but I'm finding it is escaped twice. What could possibly cause this? See the example below:
Pulled from request:
<b>test</b>
WebUtility.HtmlDecode 1st time:
<b>test</b>
WebUtility.HtmlDecode 2nd time:
<b>test</b>
I'm no expert when it comes to web development but I've got about 2 years of experience. This is the first time I've seen anything like this. I've attempted adding the following sections to my Web.config with no luck:
<pages validateRequest="false" />
<httpRuntime requestValidationMode="2.0" /
<security>
<requestFiltering allowDoubleEscaping="false" />
</security>
Please let me know if I can provide more information.
It turns out the problem lay in the textarea itself. In the view it was just a standard textarea, but in Javascript document.Ready was then made to be a kendoEditor. The kendoEditor was encoding the HTML first, then ASP.net was applying its standard encoding as well. Setting the attribute encoded equal to false fixed the issue:
$("#editor").kendoEditor({
encoded: false
});
Update:
I found later that setting the encoded attribute to false would introduce another problem. On submit I received a "A potentially dangerous Request.Form value was detected from the client" error when using formatting tools from the built-in KendoEditor toolbar. My solution was to double-decode the posted request:
WebUtility.HtmlDecode(WebUtility.HtmlDecode(Request["value"]));
I don't understand why I am getting exception calling the action from my controller by typing the full url
It works fine calling from form or ajax post using jquery, it is not setup to accept only post, my last try, I just specify explicitly the HttpGet and setip the validation page = false in the web.config. I'm lost
this is the url I am passing: main/request/theprogram=xx&theaction=yyy&theobject=
exception:
A potentially dangerous Request.Path value was detected from the client (&).
You are passing & as part of "path" portion of Uri which is very unusual and triggers the warning.
Most likely you want it to be part of "query" portion (*notice ? that separates query portion):
main/request/?theprogram=xx&theaction=yyy&theobject=
If you want parameters to be part of the path then it normal to not have names, but simply positioned values or use path-safe separator like ():
main/request/xx/yyy/
main/request/theprogram(xx)/theaction(yyy)/theobject()