2

In an asp.net web forms application we get an error message with "A potentially dangerous Request.RawUrl" sometimes, but I cannot find the source of it.

What are the possible reasons for this exception?

Some details from our case:

Event message: A validation error has occurred

Exception type: System.Web.HttpRequestValidationException

Exception message: A potentially dangerous Request.RawUrl value was 
detected from the client (="..._Combin%20%20%20%20%20%2...").

Request URL: https://somesite/somepage.aspx
?_TSM_HiddenField_=ctl00_sm1_HiddenField
&_TSM_Combin%20</div>%20%20%20%20%20%20%20%20<div%20id=

Stack trace:    at System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName)
   at System.Web.HttpRequest.get_RawUrl()
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest()
   at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context)
   at System.Web.UI.Page.ProcessRequest(HttpContext context)
   at ASP.somepage_aspx.ProcessRequest(HttpContext context)
   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

I recognise the part with TSM_HiddenField in the html of the generated page:

<script src="/somepage.aspx?_TSM_HiddenField_=ctl00_sm1_HiddenField&_TSM_CombinedScripts_=
%3b%3bAjaxControlToolkit%2c+Version%3d3.5.11119.20050%2c+Culture%3dneutral%2c
+PublicKeyToken%3d28f01b0e84b6d53e%3ada-DK%3a8e147239-dd05-47b0-8fb3-f743a139f982
%3ae2e86ef9%3a1df13a87%3a8ccd9c1b%3ac4c00916%3a9ea3f0e2%3a9e8e87e9
%3a4c9865be%3aba594826%3ac76f1358" type="text/javascript"></script>

... so it seems to be related to AjaxControlToolkit in this case, but how can this exception happen?

(It happens when a user is logged in, so I doubt there is some crawler or hack attempt involved...)

Ole Lynge
  • 4,457
  • 8
  • 43
  • 57
  • 1
    What is making the request be a get instead of a post? That would be where I'd see the error popping up. – JB King Oct 28 '09 at 18:26

2 Answers2

2

Looks like you have HTML markups in the submitted form fields, could be this one:

&_TSM_Combin%20</div>%20%20%20%20%20%20%20%20<div%20id=

The <div>'s the culprit.

o.k.w
  • 25,490
  • 6
  • 66
  • 63
  • I think that would have given a "potentially dangerous Request.Form" exception. Here it is Request.RawUrl instead of Request.Form. – Ole Lynge Oct 27 '09 at 10:16
  • @Ole, it's in the URL as a querystring `?_TSM_HiddenField_=ctl00_sm1_HiddenField &_TSM_Combin%20%20%20%20%20%20%20%20%20
     – o.k.w Oct 27 '09 at 10:17
  • Yes. It is in the url for some script generated by asp.net. I think form fields with html would generate a "potentially dangerous Request Form" exception instead of Request.RawUrl... – Ole Lynge Oct 27 '09 at 10:19
  • @Ole: That should be the case, I guess. – o.k.w Oct 27 '09 at 12:15
  • I will downvote this one, since it seems quite misleading and not addressing the question... – Ole Lynge Oct 29 '09 at 18:46
  • Agreed, this doesn't actually help answer the question at hand. – ghost_mv Oct 20 '11 at 17:06
0

I think it has to do with ASP.NET request validation: http://www.asp.net/learn/whitepapers/request-validation/

It throws the exception if e. g. HTML tags are sent with the request.

Max
  • 15,693
  • 14
  • 81
  • 131