we've modified our customErrors section to protect against the recent ASP.NET vulnerability.
Our problem is, that HttpRequestValidationException's are now causing a YSOD's to be shown, other exceptions and page not found errors are showing our custom error page.
If we change the redirectMode to ResponseRedirect everything works fine.
This is our modified section:
<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/Error.aspx"/>
This question has nothing to do with the recent ASP.NET vulnerability!It's about the ResponseRewrite redirectMode in combination with HttpRequestValidationException's. We know there will soon be a patch and that we could change back to ResponseRedirect.
Kind regards, Martin
This happens when your error page generates an error.
Make sure you turn off request validation on your error page. <%# Page ValidateRequest="false" %>
You then of course need to encode any user input that displays on your error page. eg. Server.HtmlEncode(ex.Message)
Related
I'm trying to serve a custom "site down" page instead of the standard YSOD if the server were ever to fail during it's startup. Using <customErrors> inside of web.Config work's fine for any server error occurring after startup has completed successfully, but in this case the YSOD response is not replaced.
Other resources have lead me to adding app_offline.htm to the root of the project and playing with its name during deployment, but this does not tackle unexpected server issues occurring during startup.
Is there a way to serve a "default" page if there are any errors or a proper HTTP response could not be formed?
Yes there is a way to do that but that depends how you want to handle those errors.
If you want to redirect to the same error page on any 4xx or 5xx status codes then you can use the below code in your web.config file
<customErrors mode="On" defaultRedirect="Error.aspx">
</customErrors>
In error page you can display some user friendly message.
I know, we should always use static error pages, but in my case I've got to use a dynamic error page "ErrorPage.aspx" with a .cs file. Now since we are running a security audit for https certificate; it shows a very possible scenario where there might be an error in this ErrorPage.aspx itself.
I've specified the custom error element in the web config which redirects any error to this dynamic page and as usual have set the mode to on.
e.g.
<customErrors mode="On" defaultRedirect="ErrorPage.aspx" >
<error statusCode="404" redirect="Login.aspx"/>
</customErrors>
Now what if there's an error in error page, where shall I redirect it. Therefore, in my first attempt, I added a static html page error.htm to the project and in my errorpage.aspx's page directive I added errorpage="error.htm". But it's not working, instead it shows me a web config error saying I should set mode to "RemoteOnly".
I think I need to check explicitly the error codes in errorpage.aspx and then perform the re-direction but that'll be quite lengthy. I want to know if there's a better option to do it.
I hope I've made my problem clear.
Friends I am in trouble and need your help.
For database management in the admin section of my website I have few text fields where I would like to input data along with HTML tags.
As soon as i add any HTML tag such as < BR /> the SQLDATASOURCE Update gives an error "A potentially dangerous Request.Form value was detected from the client"
Already tried ValidateRequest="false" but it didnt work
Can not use AJAX Editor due to space issue.
<httpRuntime requestValidationMode="2.0" />
If i use httpRuntime requestValidationMode then it disable validation on the whole website making it open for hackers.
Friends how can i disable ValidateRequest only for specific page(s) in the admin section only
In .Net Framework 4.0, if you set requestValidationMode="2.0" in web.config, it doesn't means the whole site be will disabled for validation. It just changed back to 2.0 validation mode which validate only for .aspx pages. So you can apply validateRequest page driective attribute to false for the pages you want to disable after setting to 2.0 mode.
MSDN: requestValidationMode=2.0. Request validation is enabled only for pages, not for all HTTP requests. In addition, the request validation settings of the pages element (if any) in the configuration file or of the # Page directive in an individual page are used to determine which page requests to validate.
You can set an attribute on your controller methods or controller to disable the validationRequest
[ConfigurationPropertyAttribute("validateRequest", DefaultValue= false)]
You are missing the ValidateRequest="false" in your page directive
I use Asp.Net 4 and C#.
I would like to know how to change the default beahviour of Asp.Net customErrors.
In my Web.Config file I use this settings.
<customErrors mode="On" defaultRedirect="/ErrorPages/Oops.aspx">
<error statusCode="404" redirect="/ErrorPages/404.aspx" />
</customErrors>
As you can expect if a page is not found a redirect occur to the custom page specified in Web.Config.
Requested page:
http://localhost:1372/nopagehere
Result page:
http://localhost:1372/ErrorPages/404.aspx?aspxerrorpath=/nopagehere
When I analyse the Http Header for the Result page I can see:
a 404 Status when the page is not found
a 302 Status for the new created url
I would like change this behavior in this way:
when a request to a not found page has been made http://localhost:1372/nopagehere
the result should be only http://localhost:1372/nopagehere (no 302 redirect) and with status code only on 404.
Any idea how to do it? Thanks for your time on this.
I guess you are looking for the redirectMode attribute on your <customErrors> section.
See: http://msdn.microsoft.com/en-us/library/h0hfz6fc.aspx
I think you want to set it to redirectMode="ResponseRewrite". This throws a 404 and shows the content of your 404 page, but without redirecting to the actual 404 page.
Maybe removing the status code 404 from the custom errors and let the default redirect page handle it.
I use Asp.net 4.
Here setting for my Web.Config file.
<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="/ErrorPages/Oops.aspx">
<error statusCode="404" redirect="/ErrorPages/404.aspx" />
</customErrors>
I need to apply the defaultRedirect url for any Exception, and use the redirectMode="ResponseRewrite" for only Page Not Found 404.
With this setting at the moment I can manage properly the Page Not Found (I'm able to get the 404.aspx page) but if an exception arise on any other page I get the "Internet Explorer cannot display the webpage" and I'm not able to reach the defaultRedirect Oops.aspx.
What I'm doing here wrong?
One problem with having an aspx page as the target of a custom errors redirect is that errors that aren't specific to a page (e.g. errors in global.asax; errors processing web.config) will also be thrown by the target page, which can result in an infinite redirect loop.
For this reason, it's often better to have a static html page as the target of at least the defaultRedirect.
Try putting the ~ in the redirect URL.
redirect="~/ErrorPages/404.aspx"
How many bytes is the error page content and does it set an HTTP status code other than 200 OK? In Internet Explorer with "Show friendly HTTP error messages" on, which is the default, custom error pages that have content under 512 bytes in length will be suppressed by the IE browser and replaced with the "friendly" error message.
To see if this is your problem, you can try turning off the "Show friendly HTTP error messages" option under Tools, Internet Options, Advanced, Settings. It'll be under the Browsing category in the Settings area.
If the page shows up with the option turned off, try turning it back on and changing your page to add an image or some other element that will make the size over 512 bytes long.