2

It looks like there is a bug in customErrors default redirect in web.config. In my web.config file I have the following customErrors setting

<customErrors defaultRedirect="~/generalerror.html?" mode="On" />

As far as I know this should send all errors to the custom generalerror.html page. It seems to work for some invalid URLS like

http://website.com/?x="<p>"
http://website.com/"<p>"

BUT it is not working when “&” is used in the URL and there is no “?” and there is an HTML tag. So this

http://website.com/&x="<p>"

totally ignores customErrors and you are given the default yellow Runtime Error instead of being sent to the custom generalerror.html page. How do I get this URL to also be redirected to the custom error page ?

If I turn mode="Off" in the web.config I get the following error

A potentially dangerous Request.RawUrl value was detected from the client (="/&x="<p>"").
user2986086
  • 23
  • 3
  • 2
    HTH! http://stackoverflow.com/questions/10837647/showing-custom-error-message-on-exception-a-potentially-dangerous-request-form http://stackoverflow.com/questions/9498180/customizing-a-potentially-dangerous-request-path-value-was-detected-error-page The thing you need to keep in mind is that this exception is thrown before you page code happens. So you normally cannot catch the error in your page code, but only in Application_Error. – Joe Dec 04 '13 at 19:19
  • I not currently doing anything at the code level, but thanks for the links. I am just using web.config customerrors tag to redirect errors to a specific page. This should be working from what I have read. In fact it does work as far as I can tell except for the very specific example I gave. I just need to find why it is not working for this one case – user2986086 Dec 04 '13 at 20:03
  • If you're using IIS7+ there's a simpler solution here:- http://stackoverflow.com/questions/30071341/asp-net-mvc-customerror-page-doesnt-get-displayed-for-some-of-the-400-errors/30072933#30072933 – Iain Galloway May 06 '15 at 09:39

1 Answers1

0

Since you are passing HTML tags in the URL, it could be an indicative of cross-site scripting attack. Not all HTML tags are dangerous, but when HTML characters are followed by certain characters like '&' in your case, asp.net considers it as a cross-site scripting attack and doesn't allow it by default.

You should consider encoding the URL to get around this. And it is always a best practice. Here is a good explanation about XSS. And here is a link that explains in detail how to get around this issue.

To change this behavior, you can set request validation to false in web.config. 

<configuration>
<system.web>
    <pages validateRequest="false" />
</system.web>
</configuration>

But in this case, requests need to be validated in the pages.

Breaking changes were made to ASP.NET request validation in .NET 4.0 and this entry is required to revert the behavior to .NET 2.0 where invalid URLs will redirect to custom error page.

<httpRuntime requestValidationMode="2.0" />
Poornima
  • 918
  • 5
  • 11
  • There are potential hackers and clients which are attempting to post invalid URLs and I need to make sure to send them to the same error page for a consistant look and feel. I dont want to turn validation off. I just want to send these requests to my error page when they happen. – user2986086 Dec 04 '13 at 19:57
  • Yes, if you disable validation, you need validate the request in the page where you can redirect it to the error page if it is an invalid request. See this link http://stackoverflow.com/questions/20009815/a-potentially-dangerous-request-querystring-value-was-detected-from-the-client – Poornima Dec 04 '13 at 20:45
  • Adding requestValidationMode="2.0" to the httpRuntime tag allows the URL I mentioned to be processed correctly. So thanks for the help – user2986086 Dec 05 '13 at 15:30