ASP.NET MVC URL Parameters Double Escaped? - c#

I've got a text area that contains HTML. I expect the content to be escaped when posted to the controller method but I'm finding it is escaped twice. What could possibly cause this? See the example below:
Pulled from request:
<b>test</b>
WebUtility.HtmlDecode 1st time:
<b>test</b>
WebUtility.HtmlDecode 2nd time:
<b>test</b>
I'm no expert when it comes to web development but I've got about 2 years of experience. This is the first time I've seen anything like this. I've attempted adding the following sections to my Web.config with no luck:
<pages validateRequest="false" />
<httpRuntime requestValidationMode="2.0" /
<security>
<requestFiltering allowDoubleEscaping="false" />
</security>
Please let me know if I can provide more information.

It turns out the problem lay in the textarea itself. In the view it was just a standard textarea, but in Javascript document.Ready was then made to be a kendoEditor. The kendoEditor was encoding the HTML first, then ASP.net was applying its standard encoding as well. Setting the attribute encoded equal to false fixed the issue:
$("#editor").kendoEditor({
encoded: false
});
Update:
I found later that setting the encoded attribute to false would introduce another problem. On submit I received a "A potentially dangerous Request.Form value was detected from the client" error when using formatting tools from the built-in KendoEditor toolbar. My solution was to double-decode the posted request:
WebUtility.HtmlDecode(WebUtility.HtmlDecode(Request["value"]));

Related

script tag throw Forbidden Request

Hello I am working on xss validation ,I am trying to avoid script tags
I gave the validation in request filter like below
<add Url="" ValidateHeaders="true" ValidateBody="true" ValidateQueryString="true" BlockedTags="script" />
After when i am doing my dev test ,I have tested with below to tags
1.img tag
Output :- A potentially dangerous Request.Form value was detected from the client ().
script tag
output:- Forbidden Request (and system logout)
I am expecting to get A potentially dangerous Request.Form value was detected from the client ,When enter tag as well what can i do here ?

I get a 400 bad request - invalid Url when the length of the request exceeds 320+ characters

Not sure what could be the reason. Added the following in Web.config also.
maxUrlLength="1024" maxQueryStringLength="1024" requestPathInvalidCharacters="" maxRequestLength="1024" relaxedUrlToFileSystemMapping="true"
I encode the uri parameter and send the request but get a invalid url all the time.
Url: http://localhost:51840/api/xxxxxxx/xxxxxxxxxxxx/n4cEF3OM0LC0q8I6OMe0XdHo8evXnoeyC06A%252fL%252fu0a%252f6e0RQrdxl2%252fPkSKNfh4aEQm78TReX1zIfGDB1bgH%252bGBEI%252fBw6i0DwQ6%252b3dk6yjs1UZqqICQye6QqVX8bJT%252fBK7GE8a22FeXJiPVtEgFRmp4WcHc4pIRHaE6QGK28kiASGFfUC9tDdRZhLfmYJsluGpsseSUOc5Inxlf3fTFNe7sg7gixrLTlwhfJIATZWWsPc%252bfo6BITTFA%253d%253d
If I reduce the url to the following it works fine.
http://localhost:51840/api/xxxxxxx/xxxxxxxxxxxx/n4cEF3OM0LC0q8I6OMe0XdHo8evXnoeyC06A%252fL%252fu0a%252f6e0RQrdxl2%252fPkSKNfh4aEQm78TReX1zIfGDB1bgH%252bGBEI%252fBw6i0DwQ6%252b3dk6yjs1UZqqICQye6QqVX8bJT%252fBK7GE8a22FeXJiPVtEgFRmp4WcHc4pIRHaE6QGK28kiASGFfUC9tDdRZhLfmYJsluGpsseSUOc5Inxlf3fTFNe7sg7gixrLTlwhfJIATZWWsPc%252bfo6BI
When the last 10+ characters it gives me a bad request. Any help greatly appreciated.
Just documenting my experience:
My issue was the one pointed by #Mark at the question comments:
"by default the maximum url segment length is 260"
He suggested to increase this limit in the registry, but I didn't want this kind of trouble. The suggestion by #Vignesh T worked better:
"Replaced the url segment into a querystring parameter and it worked fine"
In summary, instead of doing:
http://path.to.website/very-long-string-goes-here/
I just did:
http://path.to.website/?key=very-long-string-goes-here
run in powershell
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\HTTP\Parameters -Name UrlSegmentMaxLength -Value 2000 -Type "Dword"
then do net stop http and net start http.
https://blogs.msdn.microsoft.com/amyd/2014/02/06/response-400-bad-request-on-long-url/

Why Am I getting: "A potentially dangerous Request.Path value was detected from the client (&)."?

I don't understand why I am getting exception calling the action from my controller by typing the full url
It works fine calling from form or ajax post using jquery, it is not setup to accept only post, my last try, I just specify explicitly the HttpGet and setip the validation page = false in the web.config. I'm lost
this is the url I am passing: main/request/theprogram=xx&theaction=yyy&theobject=
exception:
A potentially dangerous Request.Path value was detected from the client (&).
You are passing & as part of "path" portion of Uri which is very unusual and triggers the warning.
Most likely you want it to be part of "query" portion (*notice ? that separates query portion):
main/request/?theprogram=xx&theaction=yyy&theobject=
If you want parameters to be part of the path then it normal to not have names, but simply positioned values or use path-safe separator like ():
main/request/xx/yyy/
main/request/theprogram(xx)/theaction(yyy)/theobject()

UpdatePanel Postback Error: Sys.WebForms.PageRequestManagerParserErrorException

Already looked at this:
Sys.WebForms.PageRequestManagerParserErrorException - what it is and how to avoid it
Problem is that it's only happening on my dev box. Two other developers are fine.
It's consistent and reproducible - I've tried deleting temporary internet files, deleted my obj and bin files and rebooting.
The response is clearly truncated when I look at it in the debugger when it hits the error.
Where else do I need to check to clear/clean out?
The error I'm seeing in the code is:
Microsoft JScript runtime error:
Sys.WebForms.PageRequestManagerParserErrorException: The message
received from the server could not be parsed. Common causes for this
error are when the response is modified by calls to Response.Write(),
response filters, HttpModules, or server trace is enabled. Details:
Error parsing near ' </tr>
'.
_endPostBack: function PageRequestManager$_endPostBack(error, executor, data) {
if (this._request === executor.get_webRequest()) {
this._processingRequest = false;
this._additionalInput = null;
this._request = null;
}
var eventArgs = new Sys.WebForms.EndRequestEventArgs(error, data ? data.dataItems : {}, executor);
Sys.Observer.raiseEvent(this, "endRequest", eventArgs);
if (error && !eventArgs.get_errorHandled()) {
throw error; // THIS IS WHERE THE ERROR IS THROWN
}
},
This is during an Ajax postback.
There are no Response.Write calls.
I'm using Cassini/VS 2010 Development Server, how do I tell if there are filters?
ditto
Server trace is not enabled
No calls to Server.Transfer
In firebug, I can see that the response to the POST is truncated. Problem happens in Firefox or IE, and whether I'm debugging in VS or not.
The problem does go away if I switch to IIS Express in Visual Studio, and then it returns when I am back on the ASP.NET Development Server.
I have seen this problem before with Cassini. I solved it by adding the following to the Web.config:
<system.web>
<httpModules>
<add name="ScriptModule" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
</httpModules>
</system.web>
The entry above is for version 1.0. Make sure that the Version and PublickKeyToken attributes match the ASP.net Ajax version that you are using. Also you may want to disable event validation in your page:
enableEventValidation="false"
Hope it helps!
After our talk, my idea was that maybe for some reason the cassini can not hold a big post back field, and a big one is the viewstate.
So if the viewstate is a very big one maybe this is the problem.
A second case maybe if the viewstate contain characters that some time not pass by the router or some firewall and cut them as possible attach or virus.
Possible solutions: To compress the viewstate, and/or to cut it in smaller parts.
You can also download the latest developer edition version of Cassini with lot of improvements at http://cassinidev.codeplex.com/ that maybe have fix this issue.
Are you using some kind of http module compression? It seems to cause problems very much like yours when using updatepanels. Please review this post.
If you are not ussing compression, maybe another httpmodule related error is making you suffer. Try adding this to your webpage:
enableEventValidation="false"
Maybe you could catch the exception with this kind of code:
protected void ScriptManager1_AsyncPostBackError(object sender, AsyncPostBackErrorEventArgs e)
{
ScriptManager1.AsyncPostBackErrorMessage = e.Exception.Message+e.Exception.StackTrace ;
}
<asp:ScriptManager ID="ScriptManager1" runat="server"
OnAsyncPostBackError="ScriptManager1_AsyncPostBackError">
</asp:ScriptManager>
Source for that last thing.
Error:
Sys.WebForms.PageRequestManagerServerErrorException: Sys.WebForms.PageRequestManagerServerErrorException: An unknown error occurred while processing the request on the server. The status code returned from the server was: 500
solution:
<add key="aspnet:MaxHttpCollectionKeys" value="100000"/ >
Add above key in app setting section.

Getting U+fffd/65533 instead of special character from Query String

I have a C# .net web project that have a globalization tag set to:
<globalization requestEncoding="utf-8" responseEncoding="utf-8" culture="nb-no" uiCulture="no"/>
When this URL a Flash application (you get the same problem when you enter the URL manually in a browser): c_product_search.aspx?search=kjøkken (alternatively: c_product_search-aspx?search=kj%F8kken
Both return the following character codes:
k U+006b 107
j U+006a 106
� U+fffd 65533
k U+006b 107
k U+006b 107
e U+0065 101
n U+006e 110
I don't know too much about character encoding, but it seems that the ø has been given a unicode replacement character, right?
I tried to change the globalization tag to:
<globalization requestEncoding="iso-8859-1" responseEncoding="utf-8" culture="nb-no" uiCulture="no"/>
That made the request work. However, now, other searches on my page stopped working.
I also tried the following with similar results:
NameValueCollection qs = HttpUtility.ParseQueryString(Request.QueryString.ToString(), Encoding.GetEncoding("iso-8859-1"));
string search = (string)qs["search"];
What should I do?
Kind Regards,
nitech
The problem comes from the combination Firefox/Asp.Net. When you manually entered a URL in Firefox's address bar, if the url contains french or swedish characters, Firefox will encode the url with "ISO-8859-1" by default.
But when asp.net recieves such a url, it thinks that it's utf-8 encoded ... And encoded characters become "U+fffd". I couldn't find a way in asp.net to detect that the url is "ISO-8859-1". Request.Encoding is set to utf-8 ... :(
Several solutions exist :
put <globalization requestEncoding="iso-8859-1" responseEncoding="iso-8859-1"/> in your Web.config. But your may comme with other problems, and your application won't be standard anymore (it will not work with languages like japanese) ... And anyway, I prefer using UTF-8 !
go to about:config in Firefox and set the value of network.standard-url.encode-query-utf8 to true. It will now work for you (Firefox will encode all your url with utf-8). But not for anybody else ...
The least worst solution I could come with was to handle this with code. If the default decoding didn't work, we reparse QueryString with iso8859-1 :
string query = Request.QueryString["search"];
if (query.Contains("%ufffd"))
query = HttpUtility.ParseQueryString(Request.Url.Query, Encoding.GetEncoding("iso-8859-1"))["search"];
query = HttpUtility.UrlDecode(query);
It works with hyperlinks and manually-entered url, in french, english, or japanese. But I don't know how it will handle other encodings like ISO8859-5 (russian) ...
Does anyone have a better solution ?
This solves only the problem of manually-entered url. In your hyperlinks, don't forget to encode url parameters with HttpUtility.UrlEncode on the server, or encodeURIComponent on the javascript code. And use HttpUtility.UrlDecode to decode it.
public string GetEncodedQueryString(string key)
{
string query = Request.QueryString[key];
if (query != null)
if (query.Contains((char)0xfffd))
query = HttpUtility.ParseQueryString(Request.Url.Query, Encoding.GetEncoding("iso-8859-1"))[key];
return query;
}
i think your problem is in the flash, not the .net.
it sends the special character in a weird way.
try to urlencode the search string bevore you send it to the server.
If the app is expecting the URL-encoded request to be based on UTF-8, the character "ø" should be "%C3%B8", not "%F8". Whatever function you're using to escape/encode that request, you probably need to pass it the name of the underlying character encoding, "UTF-8".
It turns out that ActionScript 2.0 will send the URL encoded/escaped with UTF-8 while ActionScript 3.0 used ISO-8859-1. The way to solve this was to change the Request.Encoding value inside Global.asax if an encoding is specified in the URL:
void Application_BeginRequest(object sender, EventArgs e)
{
HttpContext ctx = HttpContext.Current;
// encoding specified?
if (!String.IsNullOrEmpty(Request["encoding"]))
{
ctx.Request.ContentEncoding = System.Text.Encoding.GetEncoding(ctx.Request["encoding"]);
}
}
Could it be done differently?
Regards,
nitech

Categories