RSS

Upgrading issue in ASP.NET 3.5 to 4 for HTML post

07 Mar

If you have asp.net 3.5 projects which have text boxes that allow user to enter HTML in to the text box which is very common theme in CMS systems but if you want to upgrade your project to ASP.NET 3.5 to 4.0 you might get into trouble in those pages. you might get this kind of error
“A potentially dangerous Request.Form value was detected from the client”

In .NET 3.5 you can fix similar “potentially dangerous request ” issue as following. you need to do following change


 //add ValidateRequest="false" to the web page you use html post
<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="WebForm1.aspx.cs" Inherits="WebApplication9.WebForm1" ValidateRequest="false" %>

in your web pages.

Actually if you think why this request validation is enabled by default its a good thing for applications because it is specialty use full against XSS attacks. you can find more about XSS attacks in http://ha.ckers.org/xss.html  which indicates
large amount of possible permutations and approaches for XSS attacks. So when you disalble this security feature make sure you are doing following in your code behind files etc.


// do safe checks everywhere possible when you use HTML text box values
if (this.IsPostBack)
{

this.OutputLabel.Text =
HttpUtility.HtmlEncode(
Request["InputHTMLBox"]);
}

However when after you have already done above and if you try to upgrade your application to ASP.NET 4 without additional configuration changes your application pages which do HTML post would still throw errors similar to above with “potentially dangerous request….etc etc”. Actually fix for this can be easily  seen in your dev machine by looking at Yellow screen of death(YSOD) as shown in above screenshot. You need to do following web.config change


<httpRuntime requestValidationMode="2.0" />

But like me you might think why you need to do this change in addition to the changes you had to do in ASP.NET 3.5 the reason is in ASP.NET 4.0, this protection is applied to all requests (not just .aspx pages)
and it’s fired in the BeginRequest event of HttpApplication. If you need to
revert to the old behavior, you can change it via web.config and so that your pages have a chance to disable request validation.

You can use Microsoft’s Anti-XSS Library if you need more fine grain control or you can write custom HTML post validator without reverting to old mode with a class that inherit from


System.Web.Util.RequestValidator

and specifying its name in
web.config.


<httpRuntime requestValidationType="webapp1.custHTMLPostValidator, webapp1" />

Advertisements
 
Leave a comment

Posted by on March 7, 2012 in ASP.NET

 

Tags:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: